A recently discovered critical vulnerability in Microsoft SharePoint Server is being actively exploited in what security analysts are calling a widespread and ongoing campaign.
The zero-day flaw, tracked as CVE-2025-53770, allows unauthorized attackers to remotely execute code on vulnerable systems. The flaw is a variant of a previously disclosed bug CVE-2025-49706, which was patched earlier this month as part of Microsoft’s July Patch Tuesday updates.
The new flaw exists due to insecure input validation when processing serialized data in on-premises SharePoint Server deployments, allowing attackers to bypass authentication and gain control over affected systems across a network.
According to Microsoft, exploitation of the flaw relies on SharePoint's handling of deserialization processes. Malicious actors are using specially crafted payloads that exploit the issue to execute arbitrary commands even before authentication takes place. Once access is gained, attackers reportedly use stolen machine keys to forge trusted payloads, facilitating persistence and lateral movement within compromised environments.
The exploitation is limited to on-premises versions of SharePoint Server. Microsoft said that SharePoint Online, which is part of the Microsoft 365 suite, is not impacted.
The tech giant has begun rolling out emergency security updates for SharePoint Server to address CVE-2025-53770 and CVE-2025-53771, collectively referred to as ‘ToolShell.’ The company has released patches for SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert, confirming that the vulnerability is being used in active attacks. The agency is urging all organizations using on-premise Microsoft SharePoint Servers to implement Microsoft's recommended mitigations as soon as possible.
In a separate campaign, threat actors have been exploiting vulnerabilities in Ivanti Connect Secure (ICS) appliances to deploy a new malware strain, dubbed ‘MDifyLoader.’ According to a JPCERT/CC report, threat actors exploited CVE-2025-0282 and CVE-2025-22457 between December 2024 and July 2025 to deploy MDifyLoader. Once installed, the malware launches Cobalt Strike directly in memory.
CVE-2025-0282 allows unauthenticated remote code execution and was patched in January 2025, while CVE-2025-22457, a stack-based buffer overflow, was fixed in April 2025. Both vulnerabilities were previously used to deliver other malware such as SPAWNCHIMERA and DslogdRAT.
