Knowledge base

August 13, 2025

SharePoint-kwetsbaarheid CVE-2025-53770

 

More than 50 organizations worldwide – including government agencies – have fallen victim to a critical zero-day vulnerability in SharePoint (CVE-2025-53770), and the number is still rising.
The vulnerability, with a CVSS score of 9.8, is based on insecure deserialization of ViewState data, allowing unauthorized attacks on on-premises SharePoint environments.


ALTA-ICT understands how critical secure collaboration is for Dutch organizations. That’s why we share clear insights, including how to act quickly and effectively specifically within the Netherlands with measurable ROI and ISO-certified security.

SME passwords: Secure or dangerous?

What is CVE-2025-53770?

CVE-2025-53770 is a Remote Code Execution (RCE) vulnerability, which exploits insecure deserialization of unsecured data within on-premises SharePoint environments.
This form of exploit, also known as “ToolShell,” combines old patches with new attack paths, thereby bypassing previous protections.
In attacks, Web shells such as spinstall0.aspx have been installed, machine keys stolen and persistence obtained, sometimes even ransomware such as “Warlock” deployed.
While SharePoint Online within Microsoft 365 is not vulnerable, on-premises systems worldwide took heavy hits – think hundreds of servers, including at government agencies.

 

Implementation steps: what to do (in NL)?

Step 1: Patch immediately – Microsoft has released emergency updates:

  • SharePoint Subscription Edition – KB5002768

  • SharePoint 2019 – KB5002754

  • SharePoint 2016 – KB5002760

Step 2: Rotate MachineKey – Remove stolen cryptographic keys and force a new key instance. Restart IIS via iisreset.exe.

Step 3: Lighting and detection

  • Enable AMSI (Antimalware Scan Interface).

  • Use Defender and other EDR/MDR solutions to detect post-exploit activity.

  • Look for webshells (spinstall0.aspx), unusual ViewState payloads and stolen machine keys.

Step 4: Segment network and isolate systems – Disconnect on-prem systems temporarily from Internet/public exposure. Consider ZTNA, business VPN and application segmentation.

Step 5: Incident response and threat hunting – Call in specialized IR teams, monitor logs and identify indicators of compromise (IoCs). Consider SIEM or Managed Detection within SOC services.

Step 6: Consider migration to SharePoint Online – Especially for organizations in healthcare, government or fintech, migration can help mitigate risk. SharePoint Online is not susceptible to this attack vector.

 

Challenges in the Netherlands

Dutch SMEs, hospitals (AVG/NEN7510) and public institutions (NORA, DNB) are at increased risk due to outdated SharePoint infrastructure.
Compliance with AVG, NEN7510 and BIO makes fast patching, logging and clear end-user communication essential. Available IT resources are limited, which can delay incident response and patch management.
ALTA-ICT offers ISO-certified support:

  • ISO 27001 + NEN 7510 rigorous patch & security management.

  • Measurable uptime & recovery of 99.9%.

  • Connection to Dutch sectoral compliance (Healthcare, Finance, Government).

  • Clear short- and long-term roadmap with legal assurance & reporting.

 

ROI of a proactive approach

  • Cost savings: Rapid patching prevents costly incident response.

  • Risk minimization: Limiting exposure, data loss, reputational damage and compliance failures.

  • Strategic benefit: Partnering with ALTA-ICT delivers measurable benefits (uptime, SLAs, reporting) and strengthens trust with board and IT management.

  • Outlook: By migrating to modern cloud architecture with hybrid or SharePoint Online over time, you reduce complex patch-routing systems and increase scalability.

 

ALTA-ICT approach

Certifications & expertise:

  • ISO 27001 & NEN 7510 compliance.

  • Experience with AVG, NORA & DigiD integration.

  • Incident handling and SOC services 24/7.

  • Cloud and hybrid migration experience (including Microsoft-365).

Unique differentiator:

  • Dutch-focused approach: understandable audits & reports, in Dutch.

  • Customization for SMEs, financial institutions and healthcare institutions.

  • No commercial sales talk – just clear advice.

  • Immediate deployment and short lead times for patch rolls and assessments.

 

FAQ

What if we use SharePoint 2016?
Patch KB5002760 is available; if delayed: temporarily isolate system and deploy IR team.

Is SharePoint Online secure?
Yes, SharePoint Online was not affected by this zero-day.

Why new CVEs needed?
Because the first patch was insufficient; CVE-2025-53770/53771 contained stronger fixes.

How long does patch deployment take?
Within hours at ALTA-ICT, including testing & key rotation.

Do you also help with GDPR and compliance?
Sure! We connect technology with governance and documentation.

 

Conclusion

The “ToolShell” zero-day CVE-2025-53770 poses immediate danger to on-prem SharePoint environments, resulting in global ransomware threats as well as compromised government structures. Only acute patching, key rotation and threat detection offer immediate protection.
Would you like an immediate no-obligation consultation about your situation? At ALTA-ICT you get no sales talk, but clear insight and a customized action plan. Plan a meeting directly via our knowledge link.

 

Reference

¹https://www.linkedin.com/posts/altaict_mkb-microsoft365-nis2-activity-7352970320447709184-sgHv

²https://www.techradar.com/pro/sharepoint-ageddon-attacks-riddled-with-free-warlock-ransomware-and-thousands-of-services-could-be-compromised

³https://www.windowscentral.com/software-apps/were-witnessing-an-urgent-and-active-threat-microsoft-sharepoint-toolshell-vulnerability-is-being-attacked-globally

⁴https://www.windowscentral.com/microsoft/us-agency-overseeing-nuclear-weapons-breached-in-microsoft-sharepoint-attack

Want to know more?

Get in touch
Cybersecurity zero-day waarschuwing SharePoint CVE-2025-53770 met ALTA-ICT logo