A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18 and 19, 2025. The first wave originated from a US-based IP address (107.191.58.76) at 18:06 UTC, deploying spinstall0.aspx. The second wave, also from a US-based IP (104.238.159.149), occurred at 07:28 UTC the following day. Two additional IP addresses were identified in connection with the attacks. Organizations are advised to patch their systems and conduct compromise assessments if they suspect being affected.