Large-scale exploitation of new SharePoint RCE vulnerability chain identified

SUMMARY :

A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18 and 19, 2025. The first wave originated from a US-based IP address (107.191.58.76) at 18:06 UTC, deploying spinstall0.aspx. The second wave, also from a US-based IP (104.238.159.149), occurred at 07:28 UTC the following day. Two additional IP addresses were identified in connection with the attacks. Organizations are advised to patch their systems and conduct compromise assessments if they suspect being affected.

OPENCTI LABELS :

exploit,rce,vulnerability,sharepoint,cve-2025-53771,cve-2025-53770,on-premise


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Large-scale exploitation of new SharePoint RCE vulnerability chain identified