News
SharePoint Zero Day Vulnerability Exploited in Government System Breaches
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Sunday detailing active exploitation of a critical SharePoint vulnerability, CVE-2025-53770.
The zero-day flaw has reportedly been used to breach multiple government systems and remains a significant threat to unpatched on-premises SharePoint deployments. According to the advisory, the flaw is tied to a deserialization issue that allows unauthenticated remote code execution. Attackers can exploit the flaw to extract MachineKey configuration values, including the validationKey and decryptionKey, which enable them to forge authentication tokens and execute arbitrary code remotely.
More than 9,000 externally accessible SharePoint servers are at risk, according to security firm Tenable. Microsoft released patches for SharePoint Server 2019 and SharePoint Subscription Edition late on July 20. A patch for SharePoint Server 2016 is expected soon.
"We've been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response," said a Microsoft spokesman, adding that the company has released out-of-band security updates.
Satnam Narang, senior staff research engineer at Tenable, said the fallout of the ongoing attacks could be substantial.
"The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far reaching consequences for those organizations that were affected," Narang said. "Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which includes both a validationKey and a decryptionKey."
Narang added that attackers can then craft requests to achieve unauthenticated remote code execution. He recommended looking for a suspicious file named spinstall0.aspx on SharePoint servers, though the file may appear with other extensions.
Tenable advised organizations to begin incident response efforts immediately and to apply available patches while monitoring Microsoft's guidance for additional mitigations.
Adam Maurer, COO of Connecting Software, emphasized the importance of both software patching and physical architecture improvements.
"This day-one exploit of Microsoft’s systems resulted from a massive and overlooked vulnerability that allowed attackers to execute arbitrary code remotely on unpatched on-premises SharePoint servers across several key sectors," Maurer said.
"It exploited a deserialization flaw within Microsoft’s code, enabling attackers to gain control and access sensitive data," he added.
Maurer recommended air-gapped networks and data diodes to physically restrict access between sensitive servers and external networks.
"If they had been used in this instance, it could have prevented key sensitive information from being exfiltrated through the network, given that the SharePoint server itself would have had no direct network connection to external untrusted networks such as the internet," he said.
He further stressed the importance of pairing physical architecture with zero-trust configurations to block inbound traffic from untrusted sources.
Recommended actions for IT teams include:
- Apply the latest Microsoft patches for SharePoint 2019 and Subscription Edition.
- Monitor for the release of SharePoint 2016 patches.
- Investigate systems for the presence of spinstall0.aspx or other anomalies.
- Rotate cryptographic keys and invalidate sessions on affected servers.
- Evaluate network segmentation and firewall rules around SharePoint deployments.