Microsoft SharePoint is the backbone of collaboration for thousands of enterprises, document libraries, internal portals, team sites. On-premises versions run on ASP.NET/IIS, and like any web app, they need a way to remember things between requests.
Enter the MachineKey.
It’s a cryptographic key that signs and sometimes encrypts data like ASP.NET’s __VIEWSTATE. With it, the server can tell if the data it gets back from a client is authentic. Without it, anyone could forge requests that look perfectly legitimate.
Unfortunately, a newly discovered zero-day vulnerability, CVE-2025-53770, lets attackers steal that key — and once they have it, they can do exactly that.
The Zero-Day
CVE-2025-53770 is a remote code execution flaw in SharePoint’s handling of serialized data.
It’s a variant of CVE-2025-49704, but with a critical twist: attackers don’t need to be authenticated. By sending a specially crafted request, often to /_layouts/15/ToolPane.aspx with a spoofed Referer header, they can bypass normal access checks and trigger unsafe deserialization.
If successful, the payload runs in the context of the SharePoint worker process. From there, attackers have a clear path to the MachineKey.
With the MachineKey in hand, attackers can:
- Forge valid __VIEWSTATE data that executes arbitrary code.
- Create fake authentication tokens that SharePoint will accept without question.
- Move laterally to other SharePoint servers in the same farm (which often share keys).
In other words, a one-time exploit becomes a persistent, long-term compromise, even if the original vulnerability gets patched later.
How the Attacks Unfold
Incident responders say the playbook is already well-worn. It starts with attackers scanning for exposed SharePoint endpoints, then firing crafted serialized payloads at vulnerable paths like /_layouts/15/ToolPane.aspx. If the target hasn’t been patched, the server obligingly deserializes the payload and runs it, often giving the intruder PowerShell-level control or letting them plant a webshell.
From there, it’s a short hop to the real prize: the MachineKey hidden in web.config. With that in their pocket, attackers can generate trusted tokens and malicious ViewStates that will pass verification on any server in the same farm. The result is persistence that survives restarts, reboots, even some patch cycles. Once inside, they can quietly exfiltrate sensitive files, spread ransomware, or use the foothold as a launchpad deeper into the network.
Microsoft and CISA have confirmed at least seventy-five corporate servers compromised in this way, and that number is climbing.
Mitigations Until You Patch
The fix is straightforward: apply Microsoft’s updates for SharePoint 2019, Subscription Edition, and 2016 without delay. While waiting for maintenance windows, enable AMSI with Defender Antivirus in full mode to catch malicious ViewState payloads, and reduce your attack surface by pulling SharePoint off the open Internet or locking it behind VPN and strong authentication. Keep a close eye on logs for suspicious requests to /_layouts/15/ToolPane.aspx with odd Referer headers, they may be the only visible clue before a full breach.
Conclusion
CVE-2025-53770 isn’t just another RCE, it’s a reminder that in complex web apps, one stolen key can compromise an entire environment. SharePoint’s MachineKey is supposed to be the lock on your collaboration platform’s front door. Right now, for anyone unpatched, it’s also the attacker’s master key.
Patch fast, restrict access, and watch your logs. Once an adversary has your MachineKey, they don’t knock anymore, they walk right in.
