How quickly can a single vulnerability unfold into a nationwide cybersecurity crisis affecting critical infrastructure? The answer surfaced in July 2025, when critical vulnerabilities identified as CVE-2025-53770 and CVE-2025-53771 compromised more than 90 state, local government, and critical infrastructure organizations across the United States within days of public disclosure.
Microsoft SharePoint Server vulnerabilities permitted attackers to execute the “ToolShell” exploitation chain, providing arbitrary, unauthenticated command execution on vulnerable servers. CVE-2025-53770, the primary threat vector, permits remote code execution via unsafe deserialization, allowing attackers to run code before authentication occurs. The flaws primarily impact on-premises SharePoint installations, whereas SharePoint Online users remain unaffected.
The vulnerabilities represent sophisticated bypasses of earlier patches addressing CVE-2025-49704 and CVE-2025-49706, indicating initial remediations proved insufficient. Unearthed at Pwn2Own Berlin 2025 by Viettel Cyber Security researchers, these evolved variants exploited gaps in Microsoft’s previous security updates, creating new attack vectors through unsafe deserialization processes.
Federal and state agencies, universities, and energy companies documented compromises as attackers utilized mass scanning and exploitation techniques. The initial wave began July 17-18, 2025, maximizing impact during the critical patch gap window before widespread security updates.
Dozens of compromised servers appeared within days, demonstrating the vulnerability’s severe exploitation potential. Attackers employed specially crafted HTTP requests against the /_layouts/15/ToolPane.aspx endpoint, bypassing authentication through Referer header manipulation to /_layouts/SignOut.aspx. Malicious web shells, including files named spinstall0.aspx, were uploaded to extract cryptographic secrets and facilitate lateral movement through SharePoint environments.
The attack chain abused VIEWSTATE payloads, allowing attackers to forge trusted payloads with stolen machine keys. Microsoft issued emergency patches for SharePoint Subscription Edition and 2019 on July 19, 2025, with SharePoint 2016 Enterprise Server updates undergoing testing. The malicious ASPX files utilized reflective code loading via System.Reflection.Assembly.Load() in C# to execute their payloads dynamically within the SharePoint environment.
Organizations face significant detection challenges, as attackers successfully blend malicious activities with legitimate SharePoint traffic, complicating identification without thorough endpoint visibility and advanced security monitoring capabilities. CISA issued a critical alert identifying Chinese adversaries, including Linen Typhoon, Violet Typhoon, and Storm-2603, as primary threat actors behind the widespread exploitation campaign.
