Microsoft has urgently released security updates to address two zero-day vulnerabilities on its SharePoint platform after detecting that hackers are actively exploiting them to attack over 10,000 organizations worldwide.

On July 21, Microsoft rolled out emergency patches for two newly discovered critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771. These flaws allow attackers to execute remote code on SharePoint servers, a widely used enterprise collaboration platform.

The issue first surfaced during the Pwn2Own hacking contest held in Berlin in May, where participants successfully exploited a vulnerability chain named ToolShell to gain control over SharePoint servers.

Although Microsoft issued an initial fix during its July Patch Tuesday release, threat actors quickly identified new ways to bypass it, exposing systems to renewed risks.

Over 10,000 organizations at risk

0wra29di.png
Two SharePoint zero-day vulnerabilities may put over 10,000 organizations at risk. Photo: Bleeping Computer

Cybersecurity experts warn that at least 54 organizations have already been directly affected, with the number expected to rise sharply. U.S. cybersecurity firm Censys estimates more than 10,000 SharePoint servers globally are vulnerable, particularly in the United States, the Netherlands, the UK, and Canada, which host the largest number of at-risk servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the flaws enable attackers to access system files, internal configurations, and execute malicious code remotely without authentication.

Google’s Threat Intelligence team called this vulnerability a gateway to “unauthenticated persistent access,” posing a serious threat to affected entities. Palo Alto Networks described the exploit as “a real and present danger” that is already being used in the wild.

Attackers are leveraging ToolShell to drop malicious files like spinstall0.aspx, targeting SharePoint’s _layouts directory - a method often associated with Advanced Persistent Threat (APT) campaigns.

Microsoft’s mitigation guidance

To mitigate the threat, Microsoft has urged all SharePoint administrators to immediately apply the corresponding patches for their system versions:

KB5002754 for Microsoft SharePoint Server 2019 Core
KB5002753 for Microsoft SharePoint Server 2019 Language Pack
KB5002760 for Microsoft SharePoint Enterprise Server 2016
KB5002759 for Microsoft SharePoint Enterprise Server 2016 Language Pack
KB5002768 for Microsoft SharePoint Subscription Edition
In addition, Microsoft has provided instructions for updating the machine key in the web application configuration using PowerShell or Central Admin, followed by restarting IIS across all SharePoint servers.

Organizations are also advised to audit their system logs for unauthorized access and perform a comprehensive malware analysis. One key indicator of compromise is the presence of the file:

C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx

Moreover, unusual POST requests to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with HTTP referer _layouts/SignOut.aspx in the IIS logs may also signal compromise.

To assist with detection, Microsoft offers a Microsoft 365 Defender query to scan for suspicious files:

DeviceFileEvents

| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"

| where FileName =~ "spinstall0.aspx"

or FileName has "spinstall0"

| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256

| order by Timestamp desc

If the spinstall0.aspx file is found, a full investigation of the affected server and the broader network is necessary to prevent lateral movement and additional compromise.

Du Lam (Bleeping Computer, Bloomberg)