As a part of the exploitation, attackers add a file named “spinstall0.aspx,” which is used to steal the Microsoft SharePoint server’s MachineKey configuration, together with the ValidationKey and DecryptionKey, security researchers reported. “As soon as this cryptographic materials is leaked, the attacker can craft absolutely legitimate, signed __VIEWSTATE payloads,” Eye Safety defined in its evaluation.
Dutch cybersecurity agency Eye Safety, which first recognized the mass exploitation marketing campaign, found the assaults started systematically concentrating on susceptible servers on July 18, round 6:00 PM Central European Time. “Inside hours, we recognized greater than dozens of separate servers compromised utilizing the very same payload on the similar filepath,” Eye Safety researchers mentioned of their evaluation.
The severity of the menace prompted speedy federal motion, with CISA including CVE-2025-53770 to its Recognized Exploited Vulnerabilities catalog on Sunday, simply two days after energetic exploitation was confirmed. “BOD 22-01 requires Federal Civilian Government Department (FCEB) companies to remediate recognized vulnerabilities by the due date to guard FCEB networks towards energetic threats,” the company famous in its advisory, giving federal companies till July 21 to implement mitigations.
