Executive Summary
In 2025, VulnCheck identified over 40,000 newly published vulnerabilities, yet only 1% (approximately 422) were exploited in the wild. This highlights a significant challenge in vulnerability management, as defenders struggle to prioritize amidst the overwhelming volume of disclosed vulnerabilities. Notably, network edge devices accounted for 28% of the top targeted technologies, underscoring their critical role in organizational security.
The rapid exploitation of vulnerabilities, with nearly a third being weaponized within 24 hours of disclosure, emphasizes the need for organizations to enhance their patch management processes and adopt proactive security measures to mitigate emerging threats effectively. (vulncheck.com)
Why This Matters Now
The increasing speed at which vulnerabilities are exploited, coupled with the sheer volume of disclosures, necessitates a shift in how organizations prioritize and address security flaws to prevent potential breaches.
Attack Path Analysis
Attackers exploited vulnerabilities in Microsoft SharePoint to gain unauthorized access, escalate privileges, move laterally within the network, establish command and control channels, exfiltrate sensitive data, and deploy ransomware, causing significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the CVE-2025-53770 vulnerability in Microsoft SharePoint, allowing unauthenticated remote code execution by sending specially crafted HTTP requests to the ToolPane.aspx endpoint with a forged Referer header pointing to SignOut.aspx.
Related CVEs
CVE-2025-53770
CVSS 9.8An unauthenticated remote code execution vulnerability in Microsoft SharePoint Server due to unsafe deserialization of untrusted data.
Affected Products:
Microsoft SharePoint Server 2016 – All builds with the September 2023 security update or later
Microsoft SharePoint Server 2019 – All builds with the September 2023 security update or later
Microsoft SharePoint Server Subscription Edition – Version 23H2 or later
Exploit Status:
exploited in the wildReferences:
https://www.zscaler.com/de/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-serviceshttps://www.techradar.com/pro/security/microsoft-releases-urgent-sharepoint-security-flaw-patches-heres-what-you-need-to-know-and-how-to-updatehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageCVE-2025-53771
CVSS 6.5An authentication bypass vulnerability in Microsoft SharePoint Server that allows unauthenticated access to certain endpoints.
Affected Products:
Microsoft SharePoint Server 2016 – All builds with the September 2023 security update or later
Microsoft SharePoint Server 2019 – All builds with the September 2023 security update or later
Microsoft SharePoint Server Subscription Edition – Version 23H2 or later
Exploit Status:
exploited in the wildReferences:
https://www.zscaler.com/de/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-serviceshttps://www.techradar.com/pro/security/microsoft-releases-urgent-sharepoint-security-flaw-patches-heres-what-you-need-to-know-and-how-to-updatehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageCVE-2025-49704
CVSS 8.8A remote code execution vulnerability in Microsoft SharePoint Server due to improper handling of ASP.NET ViewState objects.
Affected Products:
Microsoft SharePoint Server 2016 – All builds prior to the July 2025 security update
Microsoft SharePoint Server 2019 – All builds prior to the July 2025 security update
Microsoft SharePoint Server Subscription Edition – All builds prior to the July 2025 security update
Exploit Status:
exploited in the wildReferences:
https://www.zscaler.com/de/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-serviceshttps://www.techradar.com/pro/security/microsoft-releases-urgent-sharepoint-security-flaw-patches-heres-what-you-need-to-know-and-how-to-updatehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageCVE-2025-49706
CVSS 6.5An authentication bypass vulnerability in Microsoft SharePoint Server that allows unauthorized access through improper validation of HTTP Referer headers.
Affected Products:
Microsoft SharePoint Server 2016 – All builds prior to the July 2025 security update
Microsoft SharePoint Server 2019 – All builds prior to the July 2025 security update
Microsoft SharePoint Server Subscription Edition – All builds prior to the July 2025 security update
Exploit Status:
exploited in the wildReferences:
https://www.zscaler.com/de/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-serviceshttps://www.techradar.com/pro/security/microsoft-releases-urgent-sharepoint-security-flaw-patches-heres-what-you-need-to-know-and-how-to-updatehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageCVE-2025-55182
CVSS 10A critical remote code execution vulnerability in React Server Components allowing attackers to execute arbitrary commands.
Affected Products:
Meta React Server Components – 19.0 to 19.2.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Compromise Infrastructure: Network Devices
Exploitation for Defense Evasion
Valid Accounts
Application Layer Protocol
Network Service Discovery
Remote Services
Service Stop
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – System and Application Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure through SharePoint zero-days compromising 400+ organizations including Energy, Homeland Security, and Health departments requiring immediate vulnerability prioritization.
Information Technology/IT
Maximum impact from React2Shell vulnerability with 236 exploits, network edge device compromises, and automated exploit pipelines targeting infrastructure providers.
Financial Services
High-risk exposure through network edge devices, Microsoft SharePoint vulnerabilities, and compliance requirements under PCI standards necessitating enhanced vulnerability management.
Health Care / Life Sciences
Severe threats from exploited SharePoint systems affecting HHS, with HIPAA compliance risks and healthcare infrastructure vulnerabilities requiring immediate remediation.
Sources
- Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attackshttps://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/Verified
- CVE-2025-53770 | ThreatLabzhttps://www.zscaler.com/de/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-servicesVerified
- Microsoft releases urgent SharePoint security flaw patches - here's what you need to know, and how to updatehttps://www.techradar.com/pro/security/microsoft-releases-urgent-sharepoint-security-flaw-patches-heres-what-you-need-to-know-and-how-to-updateVerified
- Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware - three China-affiliated threat actors seen taking advantagehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageVerified
- React2Shell RCE flaw exploited by Chinese hackers hours after disclosurehttps://www.techradar.com/pro/security/react2shell-rce-flaw-exploited-by-chinese-hackers-hours-after-disclosureVerified
- React2Shell exploitation continues to escalate, posing 'significant risk'https://www.techradar.com/pro/security/react2shell-exploitation-continues-to-escalate-posing-significant-riskVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and deploy ransomware by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the SharePoint vulnerability may have been constrained, reducing the likelihood of unauthorized remote code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been constrained, reducing the reach of unauthorized access.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels could have been limited, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been constrained, reducing data loss.
The attacker's ability to deploy ransomware and cause operational disruption could have been limited, reducing the impact on critical systems.
Impact at a Glance
Affected Business Functions
- Document Management
- Collaboration Platforms
- Web Applications
Estimated downtime: 14 days
Estimated loss: $5,000,000
Potential exposure of sensitive corporate documents, user credentials, and proprietary information.
Recommended Actions
Key Takeaways & Next Steps
- • Apply the latest security updates for Microsoft SharePoint to address known vulnerabilities.
- • Enable Antimalware Scan Interface (AMSI) in SharePoint and deploy endpoint detection and response (EDR) solutions to detect and block post-exploitation activity.
- • Rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers to invalidate stolen keys.
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement controls to monitor and restrict outbound traffic, preventing unauthorized data exfiltration.
