Review the full advisory from Beazley Security Lab here:
🔗 SharePoint 0Day Vulnerability Under Active Exploitation (CVE-2025-53770)

Overview of the Threat

On July 18, 2025, the cybersecurity community identified active exploitation of a critical zero-day Remote Code Execution (RCE) vulnerability in on-premises Microsoft SharePoint servers. Tracked as CVE-2025-53770 and dubbed “ToolShell,” this flaw allows unauthenticated attackers to:

• Upload malicious ASP.NET payloads
• Extract cryptographic keys
• Execute remote code on vulnerable systems

Microsoft confirmed the vulnerability on July 19 and has since released partial patches.

Recent Developments

As of July 21, 2025 (13:28 UTC), Beazley Security has verified that multiple working exploits are now being shared publicly. While early attacks were targeted, broader exploitation by ransomware groups and other threat actors is expected imminently.

If your organization has internet-exposed, unpatched SharePoint servers, assume compromise and take immediate action:

1. Isolate affected systems
2. Restore from a known good backup (dated before July 18)
3. Rotate cryptographic keys used for __VIEWSTATE using the appropriate PowerShell cmdlet
4. Apply the latest patches:
   • SharePoint Server Subscription Edition (≤ 16.0.18526.20424) → Patch: KB5002768
   • SharePoint Server 2019 (≤ 16.0.10417.20027) → Patch: KB5002754
   • SharePoint Server 2016 SharePoint Server 2016 MUI/language patch (<= 16.0.5508.1000) → Patch: KB5002760
   • SharePoint Online (Microsoft 365) is not affected.
5. Enable AMSI (Antimalware Scan Interface) to scan uploaded files. Microsoft provides configuration guidance in their documentation.

⚠️ Antimalware scanning may not detect all future payloads. Unpatched, internet-exposed SharePoint servers should be considered compromised.

Beazley Security’s Response

Beazley Security’s MXDR (Managed Extended Detection and Response) offering includes multiple detections for this exploit chain, including:

• Monitoring for exploitation attempts
• Detection of suspicious activity such as:
  • Abuse of W3WP.exe
  • Webshell uploads
  • Base64-encoded command execution
  • Malware-labeled file uploads to SharePoint

We are actively updating our threat intelligence feeds with public and private IOCs and notifying clients with exposed SharePoint servers via our Exposure Management platform.

Questions or concerns?
Please don’t hesitate to reach out to your Beazley Security representative. If you suspect that your entities system may have been compromised, please immediately report the incident to Beazley Security and the Delaware Valley Property & Liability Trust.