SharePoint Critical Zero-Day Vulnerability
Your university and your business operations could face serious risks. The Microsoft SharePoint zero-day attack affected many institutions this past summer. Microsoft is urging administrators to take action and use the latest security updates.
This exploit is being used in mass attacks. At least 400 organizations have been confirmed to have been breached.
The Washington Post stated that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers.
The National Nuclear Security Administration and the Department of Homeland Security have been compromised. Many other institutions, including universities, may have also been breached.
What is SharePoint?
SharePoint is a private web based platform where you can store and share files, manage projects, collaborate on a document with your team, and build custom pages and dashboards.
SharePoint Server is installed on-premises in many organizations, such as government agencies, universities, hospitals, and various private companies.
What is a zero-day attack?
A zero-day attack is a cyberattack that exploits a previously unknown security vulnerability before the developer(s) and/or vendor(s) create a patch. The Canadian Cyber Centre is recommending that users and administrators apply any necessary updates to their servers. This information can be found at the following link:
https://www.cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-av25-433
Who is behind the attack?
Microsoft’s July 2025 blog post suggests that Linnen Typhoon and Violet Typhoon are two Chinese groups that are suspected of having exploited these vulnerabilities.
How does this exploit work?
According to Picus Security it is supposed that the groups followed these steps:
- The vulnerability allows an attacker to send a specially crafted HTTP POST request to this endpoint:
/_layouts/15/ToolPane.aspx?DisplayMode=Edit
- The request includes a Referer header pointing to:
/layouts/15/signout.aspx
- This bypasses authentication and allows an attacker to execute code remotely (RCE), craft payloads, and extract cryptographic secrets. It provides a persistent backdoor, facilitates theft of sensitive data, and allows the execution of ransomware.
- The attacker uploads a malicious .aspx file to the SharePoint layouts directory:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\spinstall0.aspx
- The goal is to extract cryptographic secrets from the server configuration: ValidationKey, DecryptionKey, Signing algorithm .
- Once keys are stolen the attacker can maintain access even after a patch.
- ASP.NET uses
__VIEWSTATEto rebuild the page with your previous inputs.
- ysoserial.net is a tool that exploits applications performing unsafe deserialization of objects. This allows us to embed system commands and to send another GET request to the SharePoint page:
GET /_layouts/15/success.aspx?__VIEWSTATE=<malicious_payload>
- SharePoint accepts and deserializes it, the authorized token thanks to the stolen key, leading to the command execution:
w3wp.exe → cmd.exe → powershell.exe -EncodedCommand
How to detect and mitigate potential attacks:
- Review SharePoint logs and endpoint or SIEM alerts by finding suspicious requests sent to /ToolPane.aspx.
- Check for unfamiliar .aspx files in the layouts directory.
- Look for unusual processes that launch command-lines.
- Look for known malicious IPs: 107.191.58.76, 104.238.159.149, and 96.9.125.147
- For further details, see https://www.sans.org/blog/critical-sharepoint-zero-day-exploited-what-you-need-to-know-about-cve-2025-53770
The following video explains how this exploit works:
Cryptographic Connections:
In order to keep the backdoor active, the attacker needs to have access to both the ValidationKey and the DecryptionKey. The DecryptionKey is symmetric, which means it is used both in encryption and decryption. This is used to protect user identity and session information from tampering or eavesdropping during transmission, which provides confidentiality. The ValidationKey ensures the integrity of the view state form data, it is used to generate and validate MAC (Message Authentication Codes).
In conclusion, this shows the importance of keeping keys secret and how the attacker will work around the encryption to have access to the safe-box.
Resources:
https://techcrunch.com/2025/07/23/hundreds-of-organizations-breached-by-sharepoint-mass-hacks/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/#more-71737
https://blog.gitguardian.com/sharepoint-zero-day-highlight-hidden-secrets-risk/
https://www.sans.org/blog/critical-sharepoint-zero-day-exploited-what-you-need-to-know-about-cve-2025-53770
https://www.helpnetsecurity.com/2025/07/22/microsoft-pins-sharepoint-attacks-cve-2025-53770/
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
https://www.cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-av25-433
Brilliant piece! The Sharepoint zero-day really shows how adversaries snoop out weak points across organisations.It’s quite similar to the attack on the House of Commons. Organizations must try to monitor logs and patch faster. This shows that vulnerability can cause problem throughout different sectors, from government to education.
From what I understood by reading this post is that the hacker groups used the zero-day vulnerability as an entry point while the stolen cryptographic keys are what makes the attack itself so persistent. The attacker getting the access to the decryption key and validation key is similar to a robber having the keys to your house which renders having a strong lock useless since they can enter whenever they want to.
Very interesting post! It is very scary to see that such a commonly used piece of software like SharePoint can have such a critical vulnerability, especially considering that it allows hackers to perform remote code execution.
The problem here, as I see it, lies in the closed-source nature of SharePoint. Considering, how widely used this software is, I can imagine that such vulnerability would be caught almost instantly, if Microsoft allowed anyone to check the source code.
Great post! it shows how dangerous zero-day attacks can be, especially when they target systems like SharePoint that almost every organization depends on. I worked with Alberta Health Services as a service desk intern, and I saw firsthand how much of their work and collaboration happens through SharePoint. If those servers are not secure, it can disrupt patient care staff can’t access records, treatments get delayed, and it becomes a real safety issue. It’s a reminder that cybersecurity is not just an IT problem but also a public safety concern. Governments and institutions really need to make stronger investments in patching, awareness training, and zero-trust security so attackers don’t get the easy wins.
This SharePoint zero-day serves as a significant reminder that even the most “reliable” platforms can become the most vulnerable point if not updated. What is concerning is the number of vital institutions that were affected, Parliament, universities, and even energy agencies. Once attackers obtain those cryptographic keys, they essentially possess a master key to the entire system. The solution is evident: swift updates, zero-trust frameworks, and ongoing surveillance. If organizations fail to prioritize updates, we will continue to witness these large-scale breaches.
Zero-Day Vulnerabilities never cease to sound scary every time they come up in one exploit or the other. I highly appreciated how you took us through the mechanics of this exploit, and what was/should be done to prevent it from further occurring. Sadly, sometimes, zero day exploits need to happen for companies to be able to release the appropriate patches. Ironically, the presence of a secret definitely always breeds the need to know or break that secret!
That said, Microsoft is very well known for constantly patching their software so I’m glad to see that this has been attacked head on. Thanks Hicham, for the brief education and thoughtful research on the topic’s relation to cryptography!
This attack on SharePoint is so unfortunate. I look it up a bit more and it appears that it only affected the on-prem users while the SharePoint online users were unaffected most likely due to there being different security architectures, backend updates or maybe they just were not vulnerable to that issue for other reasons. Adding on to keeping keys secret, maybe another way to prevent this from happening would be to regularly rotate the secrets and ensure they are not exposed to untrusted processes. As well, adding strong(er) cryptographic signing and validation. Thanks for sharing.
Zero-days are extremely dangerous, and the fact that this one targeted SharePoint is especially concerning because it stores so much user data. The idea that attackers could read documents or upload malware to many users is no small matter. What makes it worse is that even after patches are applied, the stolen keys could allow attackers to maintain a backdoor into the system. I want to commend you for clearly explaining how the exploit works and highlighting not only the risks but also the precautions and detection methods. Posts like this remind us why it’s so important to maintain a security mindset, especially as attacks continue to evolve.