Vulnerabilities represent the unseen, often silent cracks in the digital foundations we rely on to run our businesses. When security researchers discover a new one, it usually leads to the question, “How long have threat actors been using this gap, and what damage might already be done before we even knew it existed?”
The SharePoint Zero-Day Attack
On July 20, CISA confirmed that attackers were actively exploiting CVE 2025-53770, a remote-code execution (RCE) zero-day that impacts Microsoft SharePoint servers. The flaw was unauthenticated and lets threat groups run arbitrary code and access every file on the server without credentials. It’s rated 9.8 on the Common Vulnerability Scoring System (CSS), which measures severity on a scale of 0 to 10.
Researchers have linked the exploit to the “ToolShell” attack chain, which can make lateral movement and persistence dangerously easy by stealing SharePoint machine keys and forging ViewState payloads. It has already impacted over 400 organizations so far, including the Department of Energy and Homeland Security.
CVE 2025-53770 goes far beyond compromising infrastructure. The attackers who gained access to SharePoint didn’t just land on a server; they were able to access contracts, financials, customer records and source code. This is the very heartbeat of businesses today and, in the wrong hands, can hold devastating consequences.
The Alarming Ease of Exploits
Contrary to popular belief, threat actors don’t need phishing links, stolen credentials or sophisticated malware. Most adversaries can move from a simple list of targets to complete SharePoint control in just four steps:
1. Explore likely targets.
Censys, Shodan and certificate transparency logs showcase thousands of company domains exposing SharePoint over HTTP. A few basic queries from a threat actor can surface SharePoint, subdomains or endpoints responding with the SharePoint logo or X-SharePointHealthScore header.
2. Look for a SharePoint host.
If a domain shows the classic SharePoint sign-in page, it’s likely running ASP.NET and listening on TCP443, which indicates a viable target.
3. Inspect the vulnerable endpoint.
A simple GET request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit should return HTTP 200 OK (instead of redirecting to login) on unpatched servers. This confirms exposure to the ToolShell exploit chain.
4. Confirm success with one unauthenticated POST.
CVE 2025-53770 lies in how SharePoint deserializes _VIEWSTATE data. With only one forged POST request, the attacker gains full RCE. The threat actor doesn’t need any login or multi-factor authentication (MFA) or any further interaction.
The four-step process takes only five minutes, which is why CISA urged organizations to disconnect public-facing servers until patched.
How Data Security Leaders Are Impacted
An RCE on the platform is an open door to the organization’s most important data. With it, adversaries can benefit from:
- Shadow exposure: Even if you patch tomorrow, every document the attacker already touched is outside of your control.
- Unbounded blast radius: Compromised machine keys let attackers impersonate any user and exfiltrate sensitive files at scale.
- Compliance risk: HIPAA, SOX, GDPR and other emerging AI-safety rules all require organizations to provide evidence of what data was accessed and when.
Vulnerability scanners often stop at patch fast, but data security teams need more visibility. Data security leaders have to know what was exposed, how sensitive it was and how to contain the fallout. Fortunately, some technology solutions can help.
Upleveling Data Security Solutions
To protect data even in the event of vulnerabilities, organizations need to pick a security solution that has the following characteristics:
- Real-time threat detection – Data security leaders need to see unusual access patterns to sensitive data immediately to intervene before risks turn into full-scale breaches.
- Continuous data discovery and classification – Organizations must know where every sensitive file, from PII, PHI, intellectual property and AI model weights live.
- Posture-driven risk mapping – Security teams must be able to pinpoint sensitive data sitting on exploitable servers, open to the public or granted excessive permissions and then have actionable alerts sent directly to existing workflow patterns.
- Blast-radius analysis – Having the capability to see which data could have been accessed during the exploit window is crucial for thorough incident response and breach notifications.
The Biggest Takeaways
CVE-2025-53770 was not the first severe vulnerability, nor will it be the last. Data security leaders need to know where their sensitive data is and how exposed, and where to shrink that exposure in real-time.
It’s not just about patching fast, it’s about defending the heartbeat of the enterprise: your data.
Join our LinkedIn group Information Security Community!
