Microsoft SharePoint Zero-Day Attack: Why on-prem SharePoint servers are under siege?

A critical zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, is being exploited in the wild, impacting on-premises deployments across government, healthcare, education, and enterprise environments. So far, at least 75 servers have been compromised -- including U.S. federal, state and local agencies -- with an additional 9,000 exposed SharePoint instances globally at risk.

Microsoft has started to issue emergency patches for affected instances, but some cybersecurity professionals warn that patching is not sufficient to contain the zero-day's attack. 

“Attackers are exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. A compromise doesn’t stay contained—it opens the door to the entire network,” — Michael Sikorski, CTO and Head of Threat Intelligence, Unit 42, Palo Alto Networks

The vulnerability was discovered by the Unit 42 team at Palo Alto Networks and enables attackers to steal cryptographic MachineKey configurations (validationKey and decryptionKey) from vulnerable servers. Armed with these keys attackers can create unauthenticated requests that will lead to remote code execution (arbitrary code execution) as well as bypassing MFA and SSO to privilege escalation. 

The zero-day's risk is compounded because of strong integrations between SharePoint Server and Microsoft 365 applications like Office, Teams, OneDrive, and Outlook. Attackers can exploit the SharePoint Server to move laterally to other applications, resulting in widespread exploitation and impact. 

Who is Affected?

• Organisations operating on-prem versions of either SharePoint Server 2019, 2016, or Subscription Edition
• Sectors facing significant risk: Healthcare (including hospitals), Education, Government (including state and local agencies), BFSI, Energy, Telecom, Manufacturing
• Enterprises exposing SharePoint to the internet without sufficient segmentation.

Palo Alto Networks is working closely with Microsoft’s Security Response Center (MSRC) and has begun notifying impacted customers. Unit 42 strongly urges organisations to:

• Assume compromise if on-prem SharePoint is internet-facing

• Rotate all cryptographic materials

• Unplug affected servers from the internet as a short-term mitigation

• Engage incident response teams to evict persistent threats

“This is a high-severity, high-urgency threat. A false sense of security could result in prolonged exposure and widespread compromise.”
—adds Sikorski

Tenable’s research points to a key indicator of compromise: the creation of a suspicious file called spinstall0.aspx on exploited systems. Attackers are leveraging this to establish persistence and execute arbitrary code.

“We strongly advise organisations to begin incident response investigations. While Microsoft has started rolling out patches for SharePoint Server 2019 and Subscription Edition, a fix for SharePoint Server 2016 is still pending.”— Satnam Narang, Senior Staff Research Engineer, Tenable

Actionable Steps for CISOs and CIOs

Bottom Line

This zero-day isn't just another critical CVE—it's a live threat campaign in motion, with potential to disrupt core digital infrastructure across sectors. For organisations running legacy on-prem systems, the message is clear: react now, or risk deep compromise.