Sharepoint Backdoor To Doomsday

The start of July 7, 2025 brought about the launch of a major cyber operation which would become one of the most important events of that year. The first day of exploitation of Microsoft SharePoint Server zero-day vulnerability led to the compromise of more than 400 organizations across the globe which included the National Nuclear Security Administration as a federal agency that oversees U.S. nuclear weapons inventory. This is the story of how an obscure programming flaw in legacy code became a national security crisis.

The Perfect Storm: When Old Code Meets New Threats

Microsoft SharePoint Server established itself as the core platform for enterprise collaboration when it first entered the market during the early 2000s. Millions of organizations depend on on-premises deployments to handle document management and information sharing and execute their essential business operations. The enterprise software system appeared to be stable but it contained a hidden security flaw which attackers could use to run any desired code without needing authentication.

Security researchers would later name the vulnerability CVE-2025-53770 which turned out to be something beyond your average software bug. The vulnerability holds the highest possible CVSS severity score of 9.8 because it enables attackers to access networks while bypassing all authentication mechanisms and execute remote code. The actual story reveals the origin of this security flaw together with the reasons behind its existence and how past software design choices from the 1970s and 1980s created security problems for American national defense systems.

The main cause of this problem arises from the opposing needs between keeping software compatible with past releases and defending systems against security threats. The BinaryFormatter class operated within SharePoint's codebase as a .NET serialization mechanism which security researchers identified as insecure for many years. Microsoft declared BinaryFormatter as deprecated in 2020 while stating developers should never use this class for processing untrusted data. The product SharePoint operates as a system which serves millions of organizations while maintaining its production codebase because organizations spend substantial resources to eliminate it which could result in system failures.

The security vulnerability CVE-2025-53770 starts its development process through the process of understanding how unverified data entering SharePoint request processing would trigger the insecure deserialization mechanism. The research produced results which proved to be highly important.

The Anatomy of the Attack

The technical process of a malicious request needs to be followed to determine how attackers exploited this vulnerability in SharePoint systems.

An attacker sends an HTTP POST request to one of SharePoint's endpoints which targets the /_layouts/15/ToolPane.aspx page that serves as a valid application page for tool pane content. The request contains a vital security vulnerability because the Referer header points to /_layouts/SignOut.aspx which makes the request seem to come from SharePoint's logout functionality.

The smallest element proves to be the essential factor which determines the entire situation. The request processing pipeline of SharePoint contains conditional authentication logic which runs throughout its entire system. The system provides immediate processing to all requests which come from the logout page because users who log out require fast system responses regardless of their active session status. The vulnerability takes advantage of this logical error which occurs when SharePoint verifies the Referer header to determine its origin from SignOut.aspx thus it reduces its authentication standards.

The assault has just started. The malicious POST request contains an object which has been specially made to attack the deserialization process through its .NET serialized format. The SharePoint legacy code path executes this request by using BinaryFormatter to deserialize the incoming data. The operation which seemed harmless at first turns into the peak point of the attack.

The malicious object triggers its constructors and property setters during deserialization which occurs within the SharePoint application pool that uses the operating system identity of SharePoint. The identity holds exceptional rights because it can read and write to the SharePoint content database and access configuration files which store encryption keys and database credentials and it has permission to create files in all virtual directories of SharePoint.

The attacker uses microseconds to convert an HTTP request into code which executes on the vital government server. The entire attack requires basic technical skills because threat actors can easily create HTTP requests and generate serialized objects.

The Sophisticated Aftermath: Multi-Stage Persistence

The attack needs successful initial exploitation to start its operation. The observed exploitation campaigns show an advanced multi-stage attack method which uses initial code execution access to gain permanent control of deep infrastructure systems.

The first stage of this process occurs at a very fast pace. The initial code execution deploys a malicious ASPX web shell—a small file with an innocuous name like spinstall0.aspx—into SharePoint's virtual directories. The web shell contains three fundamental features which include user authentication through a built-in password entry form and Windows cmd.exe command execution and file transfer capabilities. The attacker can keep accessing the system because of this security flaw.

The second stage requires organizations to perform intelligence collection operations which are specific to SharePoint systems. The web shell deployed on the system runs commands which follow a sequence to retrieve cryptographic data from the SharePoint system. The system contains three types of encryption keys which include ValidationKeys for ASP.NET VIEWSTATE object signing and DecryptionKeys for protecting sensitive information and CompatibilityMode settings that determine which encryption algorithm version to use. These materials are harvested from the SharePoint configuration database and Windows registry.

The attackers demonstrate their deep knowledge of .NET application structure during this stage. The attackers understand that stolen keys enable them to create trusted objects which SharePoint will execute as trusted content without raising any security alerts.

Stage 3 operates based on the cryptographic knowledge which the system has learned. Attackers use the stolen keys to generate harmful ASP.NET VIEWSTATE objects which represent the serialized state information that ASP.NET applications need to preserve session data. These specially crafted VIEWSTATE objects contain payloads designed to execute code. The tool ysoserial performs automated exploitation which produces gadget chains that enable remote code execution.

The attacker encrypts these forged VIEWSTATE objects using the stolen DecryptionKeys and signs them using the stolen ValidationKeys. SharePoint allows users to send web requests which appear legitimate until the application tries to deserialize these objects which it incorrectly identifies as coming from authorized internal systems. The payload contains harmful programming code which functions inside SharePoint while continuing to run after system reboot and security patch installation and typical web shell elimination methods.

Stage 4 establishes backup systems which will continue system operation when primary systems experience failures. Advanced campaigns use custom IIS (Internet Information Services) modules which function as plugins that run inside IIS request processing pipeline before SharePoint applications become active. These modules remain functional even if web shells are discovered and deleted, even if the server is patched, because they operate at a lower layer of the system architecture.

The military forces of Stage 5 start their reconnaissance activities at this point. The attackers use their established persistent access to run commands which help them discover Active Directory organization and network share contents and operating services and security software installations and available file system access. The information collection process determines which systems need to be accessed for network lateral movement within the target organization.

The attacker uses the vulnerability to create a complete network breach which includes multiple attack methods and cryptographic tools and complete understanding of the target system's internal structure within a short time frame of hours after the initial exploitation.

The Nation-State Connection: When Foreign Powers Join the Attack

The security incident CVE-2025-53770 extends past typical security breaches because foreign governments actively took part in its creation. The threat intelligence team at Microsoft detected three Chinese state-sponsored threat actors who were actively exploiting systems at the same time.

Linen Typhoon represents a long-standing Chinese intelligence service actor active since at least 2012. The group has conducted its operations by stealing intellectual property from government agencies together with defense contractors and strategic planning organizations and human rights institutions. The researchers describe this group as using "drive-by compromise" methods while their attack behavior matches the patterns of operations which gather information to support national strategic goals.

The second Chinese state-linked actor known as Violet Typhoon used the same vulnerability to conduct their attacks. The operation of multiple state-backed groups at the same time demonstrates they either collaborated or discovered and activated the exploit separately which confirms the essential role of this vulnerability for Chinese intelligence operations.

Storm-2603 functions as a financially motivated threat which works to achieve two separate goals. The group performs espionage operations while using the SharePoint breach to distribute Warlock ransomware through their ransomware attacks. Storm-2603 has developed a new threat actor business model which combines intelligence collection with immediate financial demands for payment.

The targeting patterns show different operational goals which the attackers pursued. The intelligence-focused groups targeted U.S. Government agencies together with defense contractors and technology consulting firms which held classified access and higher education institutions performing research and think tanks creating policy recommendations. The financial operators focused their attacks on technology businesses and manufacturing plants and essential infrastructure providers and financial organizations and healthcare facilities because these entities operated critical systems which could generate financial gain through extortion schemes.

The public disclosure of initial exploitation revealed 9,717 on-premises SharePoint servers which exposed their systems to the exploit. The confirmed number of exploited organizations represents only a small portion of the total number of installations which face exploitation because the actual extent of exploitation exceeds 400 organizations.

The Response: Racing Against Time and Inertia

The U.S. cybersecurity authorities took an unprecedented approach when they revealed and exposed the CVE-2025-53770 vulnerability to the public. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on July 21, 2025 to defend federal networks against an active security vulnerability. CISA required all federal agencies to perform immediate system vulnerability patching because they treated this vulnerability as a matter of national security emergency.

The organization exposed a concerning security practice during its response to the incident. The disclosure of the vulnerability to the public along with CISA directives failed to protect thousands of exposed servers from exploitation. The continuous identification of organizations under cyber exploitation attacks revealed that these organizations faced two major problems: they unable to deploy security patches and they did not understand the severity of the situation.

Organizations face a critical security vulnerability because they must wait between the time vulnerabilities get exposed to the public and when they complete their patching process. The current environment of automated exploit tools and fast threat actor adoption has reduced the available time for patching to only a few days. Organizations which fail to deploy security patches during this short time period will experience a high probability of system compromise.

The remediation process itself proved complex. Patching the initial vulnerability addressed only the first stage of the attack. Multiple additional procedures became necessary for organizations to follow: The process of rotating cryptographic machine keys needed distributed SharePoint farm coordination for its execution. The process of web shell removal became difficult because attackers used different naming schemes and their obfuscation techniques. The investigation required teams to check IIS modules and request handlers for any implanted persistence mechanisms. The organization needed to perform forensic analysis to establish both the extent of the attack and the duration of the compromise.

Organizations needed to spend multiple weeks on complete remediation work which involved their security and infrastructure and operations teams to work together. The attackers kept their system access active for long periods because the delay between system compromise detection and complete system restoration enabled them to obtain sensitive information and establish new backup access points.

The present security threats operate under conditions which differ from those which existed when developers built the original codebase.

The successful exploitation of CVE-2025-53770 reveals an essential design problem which exists between modern enterprise software systems. The development community faces a dilemma because they must choose between preserving their existing systems which depend on outdated technology and establishing new security systems with modern technology.

The BinaryFormatter class which SharePoint production code had marked for deletion continued to operate because the organization determined it was more costly to remove this component than the security risks it presented. The incorrect calculation which led to disaster shows how security posture in present times depends on enterprise software systems developed during previous decades.

The deserialization vulnerability exists as part of a larger enterprise software vulnerability pattern which includes the maintenance of insecure development patterns for system compatibility and authentication system flaws that allow request tampering and dangerous code elements remaining active in systems which support vast user bases.

The incident shows that any amount of network defense and threat hunting and endpoint security measures will not protect against basic architectural weaknesses which exist in essential software systems. The attacker can execute code through CVE-2025-53770 to make all defensive measures useless because they now have access to the system's most secure environment.

The Broader Implications: Threat Evolution and Supply Chain Risk

The fast spread of CVE-2025-53770 between different threat groups which include nation-state intelligence agencies and financially motivated criminals demonstrates how exploit capabilities are becoming more widely available. The public disclosure of the vulnerability led to the rapid spread of exploit code and complete attack methods throughout various threat actor groups.

The identified pattern shows that future critical system vulnerabilities will appear with major effects on the system. Organizations need to perform immediate patching of their critical security vulnerabilities because they no longer have time to wait for patching. Sophisticated attackers will start exploiting vulnerabilities in essential software elements which run on enterprise infrastructure systems within short timeframes of days or even hours because of accelerated exploitation timelines.

The incident showed that supply chain risks occur when businesses implement sophisticated software systems which their vendors develop outside their main facilities. Organizations need to trust that Microsoft patches vulnerabilities through complete and working solutions. The discovery of organizational vulnerabilities happens simultaneously with threat actor detection because they find it through their separate search activities. There exists no asymmetric information advantage in modern software vulnerability disclosure.

Organizations that use outdated on-premises systems must now treat CVE-2025-53770 as an urgent security requirement because they need to move their systems to Microsoft 365 SharePoint Online which operates without this vulnerability.

Conclusion: The Cost of Compatibility

The global exploitation of CVE-2025-53770 which attacked more than 400 organizations including America's nuclear weapons management system represents a major threshold for enterprise cybersecurity defense systems. The vulnerability shows that basic software elements continue to face security threats because of outdated systems which organizations keep for maintaining compatibility with older systems.

The initial period following the attack showed that nation-state actors and criminal organizations could exploit a well-designed HTTP request to achieve complete system domination of critical systems which supported the mission. The active campaigns demonstrate that attackers who perform multiple stages of exploitation prove their extensive understanding of .NET system operations and their ability to obtain cryptographic data and establish enduring systems.

The network defense systems lost their effectiveness because the fundamental design of the software system contained essential structural flaws. Organizations need to face the uncomfortable reality that their compatibility choices from past years and decades still control their current security position while the total expense of maintaining these systems will exceed what it would cost to switch to contemporary solutions.

The need to preserve outdated code for backward compatibility has become unreasonable because threat environments continue to change while attackers now have less time to identify and exploit system vulnerabilities. The upcoming CVE-2025-53770 security incident will mark the beginning of a new era which shows that using outdated production system components results in operational problems and creates vital security weaknesses.