Tenable Reminds Cyber Incidents At SharePoint Can Trigger Access Without Authentication

JAKARTA - Thousands of Microsoft SharePoint servers worldwide have reportedly been the target of active exploitation of large-scale cybersecurity incidents that occurred at the end of last week.

Initial reports came from an Eye Security research team on July 19, which found exploitation of two security holes in SharePoint previously attributed to a tool called ToolShell.

This exploit, called CVE-2025-53770, has succeeded in exposing the details of MachineKey's vulnerable Server SharePoint configuration, which ultimately enables execution of remote codes without authentication.

Responding to this incident, Sr. Staff Research Engineer at Tenable, Satnam Narang said that the active exploitation of the zero-day SharePoint vulnerability over the weekend will have a broad impact on affected organizations.

According to him, the attacker managed to exploit the security gap, which is now identified as CVE-2025-53770, to steal details of MachineKey configurations from vulnerable Server SharePoint, which includes Key validation and Key decryption.

He emphasized that stolen configuration information can be used to form malicious requests that allow a remote code execution (RCE) without authentication, a gap that is very risky for public and private organizations.

"This detail can be used by attackers to make specific requests that can be used to obtain long-distance code executions without authentication," said Satnam in a statement received by VOI on Tuesday, July 22.

Satnam also explained that organizations can detect potential exploits by searching for the presence of suspicious files called spinstal0.aspx on their servers, although they can use other extensions.

He suggested that the attack surface for this vulnerability was relatively widespread, with more than 9,000 SharePoint servers detected externally accessible. Many of them are used by government agencies, educational institutions, and large companies.

We strongly advise organizations to start investigating incident responses to identify potential infiltration. If not, apply the available patches and review the mitigation instructions given by Microsoft," he said.