ExploreSec will be doing a live podcast recording on August 19. Details can be found at Meetup.com and will be available on the ExploreSec YouTube channel after the date.
Executive Summary
This overview provides a critical overview of CVE-2025-53770, a severe zero-day Remote Code Execution (RCE) vulnerability actively being exploited in on-premises Microsoft SharePoint servers. With a CVSS 3.1 score of 9.8 (Critical), this flaw allows unauthenticated attackers to execute arbitrary code and gain full system control without user interaction. The exploit, known as "ToolShell," is particularly dangerous as it not only achieves initial compromise but also steals cryptographic machine keys, enabling persistent access even after patching or reboots.
The urgency is amplified by its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog and widespread active exploitation campaigns targeting government, software, and telecommunications sectors globally. Organizations with internet-facing on-premises SharePoint servers should assume compromise and take immediate action.
Key actions include:
Immediate Patching: Apply Microsoft's latest security updates for SharePoint Server Subscription Edition (KB5002768) and SharePoint Server 2019 (KB5002754) on an emergency basis. Unsupported versions (2010, 2013) must be isolated or upgraded.
Crucial Post-Patching Step: Rotate ASP.NET Machine Keys (ValidationKey and DecryptionKey) to invalidate stolen cryptographic material and prevent persistent re-entry by attackers.
Interim Mitigations: If immediate patching is not possible, enable AMSI integration, deploy Microsoft Defender AV, and consider disconnecting public-facing servers from the internet.
Detection & Response: Actively hunt for Indicators of Compromise (IoCs) like suspicious process chains (w3wp.exe spawning cmd.exe then powershell.exe) and unexpected .aspx web shells. Initiate a rapid incident response if compromise is detected or assumed.
This incident underscores the critical need for continuous vulnerability management, proactive threat hunting, and a strong focus on securing fundamental IT infrastructure to defend against sophisticated, persistent threats.
The Looming Threat to On-Premises SharePoint
Organizations globally are facing an immediate and severe threat from CVE-2025-53770, a critical zero-day Remote Code Execution (RCE) vulnerability actively being exploited in the wild. This flaw specifically targets on-premises Microsoft SharePoint servers, posing a direct danger to collaborative environments and the sensitive data they hold. With a CVSS 3.1 base score of 9.8 (Critical), this vulnerability signifies the highest level of severity, indicating potential for complete system compromise without authentication or user interaction.
The confirmed active exploitation of CVE-2025-53770 underscores that this is not a theoretical risk but a present and ongoing attack. Threat actors were leveraging this vulnerability as a zero-day even before Microsoft's public disclosure, giving them a significant head start.
Unpacking the Vulnerability: What is CVE-2025-53770?
The technical root cause of CVE-2025-53770 is rooted in the "improper deserialization of untrusted data". Deserialization is the process by which an application converts data from a stored or transmitted format back into a usable object. When SharePoint attempts to deserialize specially crafted, malicious data from an attacker without sufficient validation, it can lead to the execution of arbitrary code on the server. This specific type of flaw is categorized as CWE-502 (Deserialization of Untrusted Data), a well-known and high-impact vulnerability class. The persistence of such fundamental flaws, even in widely used enterprise software, indicates a systemic challenge in secure software development and configuration.
This critical flaw impacts several on-premises Microsoft SharePoint Server versions: SharePoint Server 2016, SharePoint Server 2019, and the Subscription Edition. It is crucial to note that older, unsupported versions such as SharePoint Server 2010 and 2013 are also affected and are particularly vulnerable due to the absence of official security updates. It is important to clarify that SharePoint Online (Microsoft 365) is not affected by this vulnerability. However, organizations running self-managed SharePoint Server instances in cloud environments, such as Azure, AWS, or GCP, are indeed vulnerable, as the underlying software remains the same. Data indicates that approximately 9% of cloud environments currently host resources running these vulnerable self-managed SharePoint versions. This distinction highlights that simply moving infrastructure to the cloud does not automatically absolve organizations of their security responsibilities; the deployment model (SaaS vs. self-managed IaaS/PaaS) dictates the shared security burden.
The CVSS 3.1 base score of 9.8 assigned to CVE-2025-53770 underscores its severe implications. This score reflects an attack vector over the network, low attack complexity, no privileges required, and no user interaction needed, leading to high impacts on confidentiality, integrity, and availability. This combination makes the vulnerability exceptionally easy for attackers to exploit and achieve full system compromise, reinforcing the urgent need for action.
The "ToolShell" Exploit Chain: A Persistent Threat
The exploit chain leveraging CVE-2025-53770, publicly known as "ToolShell," first emerged into the spotlight during the Pwn2Own hacking competition in May 2025. During this event, Viettel Cyber Security demonstrated how to chain an authentication bypass (CVE-2025-49706) with a deserialization vulnerability (CVE-2025-49704) to achieve unauthenticated RCE on SharePoint. What makes the current situation particularly concerning is that CVE-2025-53770 is not an entirely new vulnerability, but rather a direct "patch bypass" for the previously addressed CVE-2025-49704. Similarly, CVE-2025-53771 acts as a patch bypass for CVE-2025-49706. This rapid cycle of exploit, patch, and bypass demonstrates a high level of sophistication among threat actors, who are actively reverse-engineering vendor patches to discover and exploit weaknesses, thereby significantly reducing the window for defenders to implement effective countermeasures.
The ToolShell exploit chain operates in a calculated, multi-stage process designed for initial compromise and long-term persistence:
Stage 1: Authentication Bypass (leveraging CVE-2025-53771): The attack initiates with a crafted POST request targeting the /_layouts/15/ToolPane.aspx endpoint, a legacy component within SharePoint. The core of this authentication bypass relies on manipulating the Referer header, setting it to /_layouts/SignOut.aspx. This clever trick deceives the SharePoint server into treating the attacker's request as legitimate and authenticated, effectively bypassing initial security checks and granting privileged access.
Stage 2: Remote Code Execution via Deserialization (CVE-2025-53770): Once authenticated access is established, the attacker proceeds to interact with the ToolPane.aspx endpoint. A carefully constructed malicious payload is then submitted within the body of the POST request. This payload triggers the insecure deserialization vulnerability (CVE-2025-53770), causing the SharePoint application to convert the attacker-controlled data into executable code on the server. This typically results in the deployment of a stealthy ASPX web shell, often named something like spinstall0.aspx, into a SharePoint directory. This web shell then provides persistent remote access to the compromised server.
Stage 3: The Long-Game – Possessing Cryptographic Keys: This final stage is what distinguishes ToolShell as an exceptionally dangerous and persistent threat. Immediately after establishing the web shell, attackers utilize it to extract critical cryptographic material from the SharePoint server's machineKey configuration: specifically, the ValidationKey and DecryptionKey. The possession of these keys grants threat actors the ability to independently forge valid authentication tokens and __VIEWSTATE payloads. This means that even if the initial web shell is discovered and removed, or if the server is rebooted, the attackers can re-establish control and execute new malicious payloads on the compromised server at will. This capability transforms a temporary breach into a deep, cryptographic-level compromise, fundamentally altering the scope of remediation required.
Why This Vulnerability Demands Immediate Attention
The urgency surrounding CVE-2025-53770 is underscored by several critical factors, signaling a severe and active threat to organizations globally.
First, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025, just one day after Microsoft's disclosure. The KEV catalog is a curated list of vulnerabilities that are confirmed to be actively exploited by malicious cyber actors and pose significant risks. While CISA's Binding Operational Directive (BOD) 22-01 mandates remediation for federal agencies, CISA strongly urges all organizations, regardless of sector, to prioritize timely remediation of KEV vulnerabilities. This swift inclusion serves as a universal warning that the vulnerability is not only critical but is being actively weaponized and poses a proven, immediate threat to all sectors.
High Volume of Attacks: Cloudflare's WAF Managed Rules observed a significant peak of approximately 300,000 HTTP request matches for the vulnerability around 11 AM UTC on July 22. This immense volume indicates a large-scale, automated scanning and exploitation effort, targeting any exposed SharePoint server.
Confirmed Compromises: Reports confirm that the vulnerability has led to the compromise of at least 75 company servers, including major corporations and US government agencies. This demonstrates tangible, real-world impact across diverse targets.
Opportunistic Global Campaigns: Bitdefender's analysis confirms "active, widespread exploitation" globally, noting that these attacks are "typically opportunistic rather than highly targeted". This pattern indicates that while initial attacks might target high-value entities, once a zero-day is weaponized, it quickly transitions into automated scanning and exploitation campaigns, making every internet-facing, unpatched SharePoint server a potential target, regardless of the organization's size or perceived value.
Targeted Initial Attacks: Check Point Research identified the first exploitation attempts as early as July 7th, targeting a major Western government, with attacks intensifying on July 18th and 19th from specific IP addresses: 104.238.159.149, 107.191.58.76, and 96.9.125.147. These attacks have targeted sectors including government, software, and telecommunications in North America and Western Europe.
Behavioral Detections: Rapid7 has observed active exploitation in customer environments through specific behavioral indicators, such as w3wp.exe (IIS worker process) spawning cmd.exe, which then spawns powershell.exe -EncodedCommand. These process chains serve as high-confidence detections of successful exploitation.
Cloud Exposure: Even in cloud environments, Wiz data highlights that 9% of self-managed SharePoint instances are running vulnerable versions, extending the attack surface beyond traditional on-premises deployments and emphasizing that cloud hosting does not inherently guarantee security for self-managed applications.
Given the zero-day nature, confirmed active exploitation, and the sophisticated persistence mechanism (cryptographic key theft), the cybersecurity community's consensus is clear: "any organization with an on-premise SharePoint server on the Internet should assume it has been compromised and take immediate action to fully address this vulnerability". This proactive stance is critical because detection might come too late, and the focus must immediately shift to containment and comprehensive remediation. Furthermore, while initial compromise may occur rapidly, the most damaging follow-up attacks, such as ransomware deployment or data exfiltration, often occur days or even weeks later. This creates a crucial, albeit limited, window of opportunity for defenders to act and prevent further damage, emphasizing that a lack of immediate, obvious signs of compromise does not equate to safety.
Action Plan: Comprehensive Mitigation and Defense
Addressing CVE-2025-53770 requires a multi-faceted and urgent approach, encompassing immediate patching, crucial post-patching steps, and interim mitigations.
Prioritize Patching on an Emergency Basis:
The most critical and immediate step is to apply the latest security updates released by Microsoft. This must be done on an emergency basis, without waiting for regular patch cycles, as the vulnerability is actively exploited in the wild.
For SharePoint Server Subscription Edition, apply security update KB5002768.
For SharePoint Server 2019, apply security update KB5002754.
For SharePoint Server 2016, organizations should closely monitor Microsoft's official channels for the release of the patch.
Unsupported Versions (2010, 2013): These versions have reached end-of-life and will not receive official patches. They are considered highly exposed and should be immediately isolated from the network or upgraded to a supported version.
Crucial Post-Patching Step: Rotate ASP.NET Machine Keys:
This step is paramount and often overlooked. Attackers exploiting CVE-2025-53770 steal the SharePoint server's ValidationKey and DecryptionKey for persistent access, which can survive patches, server reboots, or the removal of web shells. Rotating these keys invalidates any cryptographic material potentially stolen by attackers, thereby severing their persistent foothold and preventing re-entry. This action is not merely a best practice but an absolutely essential component of full remediation for any potentially compromised system.
How to Perform: This can be done via PowerShell using the Update-SPMachineKey cmdlet or through SharePoint Central Administration (navigate to Monitoring > Review job definition, then locate and run the "Machine Key Rotation Job").
Final Step: Following key rotation, it is essential to execute iisreset.exe on all SharePoint servers to ensure the new keys are fully loaded and in effect.
Interim Mitigations (If Immediate Patching is Not Possible):
If security updates cannot be applied immediately, Microsoft and CISA strongly recommend implementing the following interim mitigations to reduce exposure:
Enable AMSI Integration & Deploy Defender AV: Configure Antimalware Scan Interface (AMSI) integration in SharePoint and ensure an antivirus solution, such as Microsoft Defender AV, is actively deployed on all SharePoint servers. This provides a crucial layer of defense against unauthenticated attacks and helps detect post-exploit activities. This demonstrates the importance of a layered security approach, providing protection when primary defenses like a direct patch are unavailable.
Disconnect Public-Facing Servers from the Internet: As a last resort, if AMSI cannot be enabled or patches cannot be applied immediately, it is strongly recommended to disconnect any affected public-facing SharePoint servers from the internet until official mitigations are fully in place. While this will disrupt services, it will prevent external exploitation and contain potential spread.
The necessity of both patching and key rotation for true remediation highlights a critical nuance in incident response for sophisticated attacks. Simply applying the patch closes the initial vulnerability, but it does not remove the attacker's ability to re-enter if they have already stolen the cryptographic keys. Therefore, security teams must understand the attacker's full kill chain, including persistence mechanisms, and implement corresponding countermeasures. Failure to perform key rotation means that even a patched system remains vulnerable to re-compromise by the same attacker, rendering significant remediation efforts ineffective. This underscores the importance of meticulously following detailed, vendor-specific guidance.
Detecting and Responding to Potential Compromise
Given the confirmed active exploitation as a zero-day and the nature of the persistence mechanism (cryptographic key theft), it is prudent for any organization with an internet-facing on-premises SharePoint server to "assume compromise". This proactive mindset is crucial for initiating a thorough and effective incident response, acknowledging that detection might already be too late for some systems.
Organizations must actively hunt for the following specific Indicators of Compromise (IoCs) within their environments:
Suspicious Process Chains: Monitor for unusual process execution, particularly w3wp.exe (the IIS worker process) spawning cmd.exe, which then spawns powershell.exe -EncodedCommand. This specific sequence is considered a high-confidence detection for this exploitation and is a prime example of why behavioral detection is crucial for zero-day threats where traditional signatures may not exist.
Suspicious File Creation: Look for the presence of unexpected or suspicious .aspx files, especially spinstall0.aspx, in SharePoint directories such as C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\. These files often serve as web shells for persistent access.
Network Activity Patterns: Monitor for POST requests directed to /_layouts/15/ToolPane.aspx?DisplayMode=Edit, which is the endpoint exploited by the ToolShell chain. Additionally, conduct scanning for connections to known attacker IP addresses, particularly those observed between July 18-19, 2025: 107.191.58.76, 104.238.159.149, and 96.9.125.147.
Security Rule Updates: Ensure that intrusion prevention system (IPS) and web application firewall (WAF) rules are updated to block known exploit patterns and anomalous behavior associated with this vulnerability.
If compromise is assumed or detected, a rapid and comprehensive incident response must be initiated:
Isolate and Shut Down: Immediately isolate or shut down affected servers to prevent further compromise and lateral movement within the network.
Revoke and Rotate Credentials: Revoke any potentially compromised user accounts or service accounts, and rotate all associated secrets and credentials.
Audit and Minimize Privileges: Conduct a thorough audit of SharePoint layout and administrative privileges, minimizing access to only what is strictly necessary.
Engage Incident Response Teams: Engage your internal Security Operations Center (SOC) or external incident response specialists for a deep forensic investigation, eradication, and recovery.
Comprehensive Logging: Ensure comprehensive logging is enabled and reviewed regularly to identify exploitation activity and aid in forensic analysis.
The observation that initial compromise often serves as a "beachhead," with the most damaging follow-up attacks (e.g., ransomware, data exfiltration) occurring days or weeks later, highlights a critical "window of opportunity" for defenders. This implies that rapid detection and a well-rehearsed incident response plan are paramount. The focus shifts from merely preventing initial access to minimizing the blast radius and preventing subsequent, more damaging attack phases. This reinforces the need for strong internal communication, clear escalation paths, and pre-defined playbooks for critical incidents that prioritize containment and eradication before the attacker can achieve their ultimate objectives.
Conclusion
CVE-2025-53770 represents a critical and actively exploited zero-day threat to on-premises Microsoft SharePoint servers. Its high severity, coupled with the sophisticated "ToolShell" exploit chain's ability to achieve persistent access through cryptographic key theft, demands immediate and decisive action from all affected organizations.
The imperative is clear: apply the latest security updates without delay, and crucially, rotate your ASP.NET Machine Keys to invalidate any potentially stolen cryptographic material. Implement interim mitigations like enabling AMSI and deploying robust antivirus solutions, and be prepared to disconnect public-facing servers if patching is not immediately feasible. Beyond these urgent steps, cultivate a proactive security posture by investing in continuous vulnerability management, proactive threat hunting, and a strong focus on foundational infrastructure security.
Links and Contributions
Contribution: This Microsoft Security Response Center (MSRC) blog served as a primary source for confirming Microsoft's awareness of the active attacks targeting on-premises SharePoint servers and the assignment of CVE-2025-53770. It also provided initial guidance on mitigations and detections.
Contribution: This article was crucial for detailing the "ToolShell" exploit chain, including its origin at the Pwn2Own competition and its nature as a patch bypass for previous vulnerabilities. It provided a breakdown of the three attack stages (authentication bypass, RCE via deserialization, and cryptographic key theft for persistence). It also offered insights into the widespread nature of the attacks, citing Cloudflare's WAF Managed Rules observations of high HTTP request matches.
Contribution: This Check Point Research blog provided specific details on the active exploitation, including the earliest observed attack dates (July 7th), the intensification of attacks from specific IP addresses, and the targeted sectors (government, software, telecommunications) and geographies (North America, Western Europe). It also highlighted the chaining of CVE-2025-53770 with other vulnerabilities like Ivanti EPMM flaws.
Contribution: This Rapid7 blog confirmed the zero-day exploitation of CVE-2025-53770 and its classification as a patch bypass. It detailed the sophisticated nature of the campaign, emphasizing the goal of establishing persistent access through cryptographic key extraction. It also provided high-confidence behavioral detection indicators, such as specific process chains (
w3wp.exespawningcmd.exethenpowershell.exe).
https://www.indusface.com/blog/key-cybersecurity-statistics/
Contribution: This resource provided valuable statistics on the increasing volume of Common Vulnerabilities and Exposures (CVEs) reported annually and daily. It also offered data on the surge in vulnerability-based attacks, linking it to the growing accessibility of Large Language Model (LLM) tools, and statistics on breaches related to application vulnerabilities and stolen credentials.
https://www.cvedetails.com/cve/CVE-2025-53770/
Contribution: This site provided core technical details about CVE-2025-53770, including its CVSS 3.1 base score of 9.8 (Critical), its classification as CWE-502 (Deserialization of Untrusted Data), and confirmation of its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog. It also outlined CISA's recommended interim mitigation actions.
https://www.axonius.com/blog/cve-2025-53770
Contribution: This blog post was used to confirm the critical nature of the vulnerability, the affected SharePoint Server versions (2016, 2019, Subscription Edition), and Microsoft's recommended remediation steps, including the crucial process of rotating ASP.NET machine keys and restarting IIS. It also reiterated interim mitigations like AMSI integration and disconnecting public-facing servers.
Contribution: This article offered a comprehensive overview of both CVE-2025-53770 and CVE-2025-53771, detailing their roles in the "ToolShell" exploit chain. It provided specific affected SharePoint versions, clarified that SharePoint Online is not affected, but self-managed cloud instances are. It also outlined the exploit's stages, including the specific endpoint and the theft of cryptographic keys, and provided detailed patching and mitigation instructions.
https://tech.co/news/data-breaches-updated-list
Contribution: This resource provided recent real-world examples of significant data breaches, such as those affecting Anne Arundel Dermatology, Compumedics USA, and McLaren Health Care. These examples were used to illustrate the severe financial, reputational, and compliance risks associated with successful cyberattacks.
Contribution: Bitdefender's analysis confirmed widespread, opportunistic exploitation globally and highlighted that initial compromise often serves as a "beachhead" for more damaging follow-up attacks days or weeks later, emphasizing a crucial window of opportunity for defenders. It also provided specific patching instructions and reinforced the importance of rotating ASP.NET Machine Keys.
Contribution: This CISA alert confirmed the agency's awareness of active exploitation and the addition of CVE-2025-53770 to the KEV catalog. It provided specific Indicators of Compromise (IoCs) for monitoring, including suspicious POST requests and attacker IP addresses, and recommended updating intrusion prevention system (IPS) and web application firewall (WAF) rules.
Contribution: This CISA announcement explicitly stated the addition of CVE-2025-53770 "ToolShell" to the Known Exploited Vulnerabilities (KEV) catalog, underscoring its confirmed active exploitation and the agency's strong recommendation for all organizations to prioritize its remediation.
Contribution: This news article confirmed the active exploitation of the zero-day vulnerability, reporting that it had led to the compromise of at least 75 company servers, including major corporations and US government agencies. It reiterated the CVSS score, the deserialization root cause, and the theft of cryptographic keys for persistent access.
