DIVD-2025-00035 - Sharepoint Mass-Exploitation (ToolShell) through CVE-2025-53770

Our reference DIVD-2025-00035
Case lead Max van der Horst
Researcher(s)
CVE(s)
Products
  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
Versions all
Recommendation Enable the Anti-Malware Scan Integration (AMSI) offered by Microsoft or take your Sharepoint installation off the internet.
Patch status Not Available
Workaround None
Status Open
Last modified 20 Jul 2025 21:16 CEST

Summary

Attackers are exploiting a new vulnerability in Microsoft SharePoint Server to secretly place a small backdoor on affected servers. This only affects organizations running SharePoint on-premise (local installations), not SharePoint as part of Microsoft 365 (SharePoint Online).

When accessed, this backdoor reveals secret security keys that allow attackers to fully take over the system and bypass normal protections.

What you can do

Either ensure that Microsoft’s Anti-Malware Scan Integration (AMSI) is enabled on your server or take it off the internet completely. Moreoever, check your SharePoint servers for suspicious files with unusual names, such as spinstall0.aspx, and monitor for strange responses when visiting unexpected pages. If you suspect that your server has been compromised, you should change all security keys and credentials, investigate for further unauthorized access, and consider restoring from a clean backup.

What we are doing

DIVD is currently working to identify on-premise SharePoint instances that have been compromised through CVE-2025-53770. We use data from multiple sources, including Shodan, Censys, and NetLas.io, to locate potentially vulnerable SharePoint instances. We then perform our own targeted scans to detect signs of active exploitation—specifically the presence of webshells or other malicious implants.

Once a potential compromise is confirmed, we notify the affected organizations either directly or via trusted third parties, depending on the available contact information and responsible disclosure channels.

Timeline

Date Description
19 Jul 2025 Eye Security published their blog post on ToolShell.
19 Jul 2025 DIVD starts investigating the presence of implants worldwide.
20 Jul 2025 Eye Security and DIVD start collaboration.
20 Jul 2025 Scanned newly identified on-premise SharePoint hosts from NetLas.io for signs of compromise.
gantt title DIVD-2025-00035 - Sharepoint Mass-Exploitation (ToolShell) through CVE-2025-53770 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00035 - Sharepoint Mass-Exploitation (ToolShell) through CVE-2025-53770 (still open) :2025-07-20, 2025-07-28 section Events Eye Security published their blog post on ToolShell. : milestone, 2025-07-19, 0d DIVD starts investigating the presence of implants worldwide. : milestone, 2025-07-19, 0d Eye Security and DIVD start collaboration. : milestone, 2025-07-20, 0d Scanned newly identified on-premise SharePoint hosts from NetLas.io for signs of compromise. : milestone, 2025-07-20, 0d

More information