Zero-Day Flaw in Microsoft SharePoint Lets Hackers Take Over Entire Networks
A serious security gap has led to attacks on a number of Microsoft customers. The SharePoint server, which is used in many company networks, is affected. The problem behind the zero-day gap is not completely new.
Access to the whole network
The weak point with the identifier CVE-2025-53770 is currently being actively exploited in a broad attack campaign. According to Microsoft, it is a variant of an error patched in July 2025 (CVE 2025-49704), which enables the remote code version through faulty code deserialization. The bug only affects local SharePoint servers and allows attackers to carry out any code via the network without authentication. The attackers take advantage of the way SharePoint processes data objects uncontrollably. As soon as you have access, you can use stolen machine keys manipulate manipulated __Viewstate playloads that are recognized by the system as legitimate. This allows you to permanently commit yourself in the system or to move on within the network – often without immediate discovery.
Microsoft was informed about the gap by Viettel Cyber Cyurity. The weak point was discovered as part of Trend Micros Zero Day Initiative (ZDI). Microsoft quickly released an official security update. Nevertheless, the manufacturer continues to advise its customers to also secure their systems. This includes activating the antiMalware Scan Interface (AMSI) integration and the use of Microsoft Defender antivirus and Defender for Endpoint. It turned out to be particularly explosive that an attack chain called “Toolshell” combined the zero-day gap with another spoofing weak point. Security researchers suspect that this chain leads directly to the new weak point by targeted manipulation of the HTTP speaker. AspX playloads are introduced via PowerShell to steal the configuration key of the server – a crucial step to maintain distance access permanently.
Patch alone is not enough
So far, more than 85 SharePoint servers have been compromised, including systems of 29 companies and authorities worldwide. The US cyber security authority CISA confirmed the active use and called on affected organizations for immediate implementation of the recommended protective measures. Since stolen keys are not automatically replaced even after the installation of patches, complete protection remains difficult in many cases. Experts therefore advise comprehensive forensic analyzes and close cooperation with security providers.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
