Edward Kiledjian's Threat Intel

Critical Microsoft SharePoint Zero-Days Exploited in Global Attacks Despite Recent Patches

Critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) are being actively exploited in the wild, bypassing earlier fixes and compromising at least 85 servers globally, including government and enterprise systems. Initially tied to the Pwn2Own “ToolShell” exploit, the attacks enable remote code execution through malicious ViewState payloads after stealing cryptographic keys. Microsoft has issued emergency patches for SharePoint 2019 and Subscription Edition but is still finalizing the update for SharePoint 2016. In the interim, it urges organizations to deploy mitigations such as enabling AMSI, running Defender AV, rotating ASP.NET machine keys, and disconnecting unpatched servers from the internet. CISA has classified the threat as critical, mandating urgent action by U.S. federal agencies.

www.bleepingcomputer.com/news/micr…