Large-scale exploitation of new SharePoint RCE vulnerability chain identified

July 21, 2025, 10:28 a.m.

Description

A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18 and 19, 2025. The first wave originated from a US-based IP address (107.191.58.76) at 18:06 UTC, deploying spinstall0.aspx. The second wave, also from a US-based IP (104.238.159.149), occurred at 07:28 UTC the following day. Two additional IP addresses were identified in connection with the attacks. Organizations are advised to patch their systems and conduct compromise assessments if they suspect being affected.

External References

https://otx.alienvault.com/pulse/687e1326defc04da82d0b809
https://research.eye.security/sharepoint-under-siege/
Tags
exploit
vulnerability
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise

Date

  • Created: July 21, 2025, 10:15 a.m.
  • Published: July 21, 2025, 10:15 a.m.
  • Modified: July 21, 2025, 10:28 a.m.

Indicators

  • 96.9.125.147
  • 104.238.159.149
  • 107.191.58.76
  • 103.186.30.186
Download all indicators here!

Attack Patterns

Linked vulnerabilities

CVE-2025-53770

9.8
    Microsoft
  • Sharepoint Server
Published: July 20, 2025

CVE-2025-53771

7.1
    Microsoft
  • Office Sharepoint
Published: July 20, 2025