As part of the exploitation, attackers upload a file named “spinstall0.aspx,” which is used to steal the Microsoft SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, security researchers reported. “Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads,” Eye Security explained in its analysis.
Dutch cybersecurity firm Eye Security, which first identified the mass exploitation campaign, discovered the attacks began systematically targeting vulnerable servers on July 18, around 6:00 PM Central European Time. “Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath,” Eye Security researchers said in their analysis.
The severity of the threat prompted rapid federal action, with CISA adding CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on Sunday, just two days after active exploitation was confirmed. “BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats,” the agency noted in its advisory, giving federal agencies until July 21 to implement mitigations.
