Analyzing Microsoft SharePoint Zero-Day Exploit CVE-2025-53770

The recent Microsoft SharePoint zero-day exploit (CVE-2025-53770) marks a significant moment in enterprise cybersecurity. Here, we dissect the emerging data on infection rates, attack patterns, and mitigation effectiveness.

Scale and Timing of Exploitation

Security researchers have monitored active exploitation since at least July 18, 2025. Eye Security’s global scan revealed dozens of compromised SharePoint servers out of over 8,000 evaluated worldwide, indicating a substantial but targeted campaign.

Vulnerability Context and Severity

CVE-2025-53770 received a CVSS score of 9.8, signaling critical severity. This vulnerability is a variant of CVE-2025-49706 patched earlier that month, yet it exploits a novel serialization flaw allowing unauthenticated remote code execution.

Attack Methodology and Stealth Techniques

Unlike typical webshell attacks, the exploit stealthily retrieves cryptographic machine keys crucial for secure communication in SharePoint (__VIEWSTATE keys). This extraction allows attackers to craft valid payloads, complicating detection and extending attacker persistence.

Mitigation Adoption and Effectiveness

Microsoft’s AMSI integration, enabled by default in recent updates, can block exploitation attempts. However, adoption rates of these updates vary across enterprises. Organizations delaying AMSI activation or using older unpatched servers remain highly vulnerable.

Conclusion:
The data reveals a highly sophisticated exploit campaign blending stealth and scale. Proactive deployment of mitigations and patch management is paramount to stemming further intrusions.