SharePoint Zero Day Exploit Hits Over 100 Organizations

ByYehuda Abramson

SharePoint Zero Day Exploit Hits Over 100 Organizations

More than 100 organizations worldwide have been compromised by an active Zero Day exploit targeting Microsoft SharePoint servers. According to cybersecurity firm Eye Security and Shadowserver Foundation, victims include industrial firms, banks, auditing and healthcare companies, and government institutions, primarily located in the U.S., Germany, and Canada.

The exploit, now linked to a threat chain dubbed ToolShell, abuses vulnerabilities identified as CVE-2025-49706 and CVE-2025-49704, enabling attackers to achieve full remote code execution (RCE) through ViewState manipulation. By extracting cryptographic secrets such as the ValidationKey directly from memory or configuration, hackers can generate signed and fully functional payloads using tools like ysoserial.

Eye Security confirmed the threat is not theoretical. Attackers bypass identity protections like MFA and SSO, access system files and configurations, and move laterally through Windows domains. Most alarmingly, stolen cryptographic keys may allow persistent impersonation, even post-patching.

The initial breach likely began on July 18, when malicious actors planted an inconspicuous spinstall0.aspx file. Rather than executing standard shell commands, this file exfiltrated cryptographic secrets using a simple GET request—showcasing a more subtle and dangerous approach.

Microsoft acknowledged the vulnerability over the weekend, offering mitigation guidance for SharePoint Server 2019 and Subscription Edition. A patch for SharePoint 2016 remains in development. Security experts emphasize that firewall blocking is insufficient and that compromised servers must be isolated or shut down immediately.

Trend Micro and Eye Security both urge administrators to take decisive action:

  • Patch vulnerable SharePoint versions immediately

  • Rotate all credentials and cryptographic secrets

  • Audit configuration files and logs for anomalies

  • Seek incident response support without delay

Due to SharePoint’s integration with services like Outlook, Teams, and OneDrive, the breach has a high risk of cascading data theft, password harvesting, and network-wide compromise.

While attribution remains uncertain, Alphabet has suggested links to a state-sponsored actor from China, according to Reuters.

As the ToolShell exploit evolves rapidly, cybersecurity professionals warn that delay may deepen exposure. This incident underscores the growing sophistication of attackers and the urgent need for proactive threat response strategies.

Source: computerworld