2025-07-23: UPDATE: we now have a reliable detection method. Nearly 500 unique IP addresses are vulnerable, accounting for numerous government organizations.
CVE-2025-53770 is currently being widely exploited by cybercriminals to deploy web shells. We have provided our customers with data allowing them to identify the currently compromised machines within their perimeter. Here’s an explanation.
What type of vulnerability are we talking about?
This is a Remote Code Execution (RCE) vulnerability, without authentication. This is the most critical level, given that this type of product allows potentially confidential information to be shared within a company. This is lucrative data for cybercriminals.
According to our data, more than 11,000 unique IP addresses are exposed on the Internet for on-premise installations of Microsoft SharePoint Server. It is these on-prem installations that are at risk, as Microsoft has taken the necessary steps to protect its infrastructure from hacking its customers.
Vulnerability Disclosure History
In May 2025, researchers at Viettel Cyber Security revealed details of two critical vulnerabilities: CVE-2025-49706 and CVE-2025-49704, which they dubbed “toolshell.” Microsoft released the patches in its July bulletin.
But that’s not all; these patches were incomplete, and other researchers have identified a workaround to still be able to exploit the flaw. Thus, we now have two new CVEs (CVE-2025-53770 and CVE-2025-53771) that are currently being actively exploited by attackers to deploy web shells, a persistence mechanism that allows remote access to compromised instances.
Our Perspective
As we scan the Internet, both IP addresses and URLs, we are able to identify the number of Microsoft SharePoint Servers exposed to the Internet, whether they are on a dedicated or shared IP. In the latter case, these are, in some cases, service providers operating SharePoint instances on behalf of their customers.
We have also identified, in terms of the number of unique IP addresses, more than 11,000 exposed instances. Among these, we count 139 unique IP addresses already compromised. Among the victims, unsurprisingly, universities, a few banks, and, more importantly, a number of government organizations.
We are currently working on a method for remote detection of vulnerable instances; we will update this post accordingly.
About ONYPHE:
ONYPHE is an attack surface management solution that monitors the exposure of vulnerable devices on the internet by analyzing IP addresses, accessible services, URLs, and indicators of active exploitation.
By collecting real-time data on over 370 million domains and nearly 500 million active IP addresses (IPv4 and IPv6 combined), ONYPHE helps identify affected systems, assess the risks posed by these assets, and track the evolution of exploited vulnerabilities.
To learn more, visit us at: https://www.onyphe.io/
