A newly disclosed vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, is being actively exploited in the wild. The flaw allows remote, unauthenticated attackers to write arbitrary files to the server’s web-accessible directories. In practical terms, this enables adversaries to upload malicious .aspx files, such as web shells, and achieve remote code execution (RCE) on the affected system.
Microsoft has not yet released a patch for the vulnerability. Given the simplicity of the exploit and the critical nature of the impact, organizations running exposed SharePoint instances should take immediate action to mitigate risk. Evidence from multiple threat intelligence sources confirms that exploitation is ongoing across internet-facing deployments.
Summary
Vulnerability: Unauthenticated file write in Microsoft SharePoint via InfoPath Forms Services, leading to remote code execution.
CVE: CVE-2025-53770
Impact: Allows unauthenticated attackers to upload arbitrary files (such as web shells) to the SharePoint webroot. This results in full remote code execution under the application pool identity.
Affected Versions: Specific affected versions have not been published by Microsoft as of July 21, 2025. Exploitation has been observed on SharePoint Server 2019 and may affect other supported on-prem versions with InfoPath Forms Services enabled.
Severity: Critical
Fix: No patch available at this time.
How the attack works
At the core of this vulnerability is a legacy feature in SharePoint: InfoPath Forms Services. This component processes structured XML forms submitted by users. In affected versions, attackers can submit a specially crafted InfoPath form that tricks SharePoint into saving an arbitrary file to a web-accessible location.
By writing a file like shell.aspx into the SharePoint webroot, the attacker can immediately trigger it through a browser request. This provides full code execution under the context of the SharePoint application pool. No authentication is required at any stage.
The technique is trivial to automate and requires no special privileges. A single unauthenticated HTTP POST request is enough to deliver and activate the payload.
Exploitation in the wild
This vulnerability is not theoretical. According to reports from Eye Security and several incident response teams, attackers are already exploiting CVE-2025-53770 to gain access to vulnerable SharePoint instances.
In most observed cases, attackers upload .aspx web shells that provide ongoing access to the system. Some use the initial foothold to deploy additional malware or pivot further into the network.
Many of the attacks appear opportunistic. Scans for exposed SharePoint instances are already widespread, targeting public-facing deployments with InfoPath enabled.
What makes this so dangerous
CVE-2025-53770 is a rare combination of severity, simplicity, and impact.
First, it requires no authentication. The attacker does not need credentials or existing access. Second, the file write happens in a location that allows remote triggering. Once the malicious file is saved, code execution is immediate. Third, SharePoint is widely deployed in large organizations and often overlooked as an internet-facing asset.
In short, a single exposed service can lead to complete domain compromise.
Because SharePoint often integrates with identity systems and document repositories, the fallout from exploitation can include credential theft, data loss, and ransomware deployment. Legacy functionality like InfoPath, which is rarely reviewed or tested, creates an ideal entry point for attackers.
Mitigation steps
Microsoft has not yet released a patch for CVE-2025-53770. Until one becomes available, mitigation is the only option.
1. Disable InfoPath forms services
If you are not actively using InfoPath, disable it across all SharePoint web applications. This closes the main attack vector.
2. Audit anonymous access
Ensure that anonymous access is not enabled on any SharePoint zones or application pools unless explicitly required. Many attacks rely on default or legacy configurations.
3. Inspect webroots for shells
Search your SharePoint directories for newly created .aspx files. These are commonly used to deliver web shells. You can use a command like the following to help:
Get-ChildItem -Recurse -Filter *.aspx -Path "C:\inetpub\wwwroot\wss\VirtualDirectories"
| Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-7) }
Any unexpected files should be treated as suspicious and investigated immediately.
4. Monitor logs for suspicious activity
Check for unusual POST requests to endpoints under /FormServerTemplates/. These are often used to deliver the malicious payload. Also watch for any execution activity from w3wp.exe, especially if it involves PowerShell or network connections.
Continuous detection
Hadrian is actively scanning customer environments for signs of exploitation related to CVE-2025-53770. Specifically, we are identifying potential web shells that may have been dropped through this attack path.
At this stage, Hadrian is not scanning for the vulnerability itself, as Microsoft has not released technical details or detection guidance. Our current focus is on surfacing indicators of compromise that point to successful exploitation, allowing customers to respond quickly and contain the threat.
We will expand detection coverage as new information becomes available and continue to support customers with advisory updates.
Indicators of compromise
If your organization runs SharePoint and has not yet disabled InfoPath, watch for the following:
- Newly created .aspx files in SharePoint webroot directories
- POST requests to _layouts/15/ToolPane.aspx from unknown IPs
- PowerShell execution under w3wp.exe
- Outbound connections from SharePoint servers to rare destinations
These signs may indicate that an attacker has successfully exploited the vulnerability and established access.
Final thoughts
This is one of the most serious SharePoint vulnerabilities in recent years. It is simple to exploit, does not require authentication, and gives attackers the ability to execute code directly on the server.
Organizations that expose SharePoint to the internet should treat this as a priority. Disabling InfoPath and scanning for suspicious files is critical while waiting for an official fix.
Security teams should also review their external exposure strategy. SharePoint often flies under the radar during attack surface reviews, especially when legacy features like InfoPath remain active by default. This vulnerability highlights the importance of treating every exposed service as a potential entry point.
Hadrian will continue to monitor the situation, provide detection updates, and support our customers as Microsoft responds with a formal patch.
