CVE-2025-53770 Microsoft Releases Urgent Patch for Critical SharePoint Vulnerability Under Active Exploitation

CVE-2025-53770 Microsoft Releases Urgent Patch for Critical SharePoint Vulnerability Under Active Exploitation

☣️ Mr. The Plague ☣️

Microsoft has released out-of-band security updates to address a critical remote code execution vulnerability in on-premises SharePoint Server that is being actively exploited in attacks.

The flaw, tracked as CVE-2025-53770 with a CVSS score of 9.8, stems from deserialization of untrusted data, allowing an unauthorized attacker to execute code over a network without authentication.

This vulnerability affects on-premises versions of Microsoft SharePoint Server, including SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.

Microsoft has confirmed that CVE-2025-53770 is a variant of previously addressed issues, such as CVE-2025-49706, and provides more robust protections in the new update compared to prior patches. 55

Active exploitation of CVE-2025-53770 has been observed in targeted attacks as part of a campaign dubbed ToolShell, impacting over 75 organizations worldwide, including multinational corporations, government agencies, energy companies, universities, and telecommunications providers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog due to evidence of ongoing abuse, with a remediation deadline for federal agencies set for July 21, 2025. Microsoft recommends that customers apply the security updates immediately to mitigate the risk.

Understanding Microsoft SharePoint and Its Role in Enterprises

Microsoft SharePoint Server is a widely used platform for document management, collaboration, and workflow automation in enterprises. It serves as a central repository where users can store, share, and co-edit files, often containing sensitive information such as internal documents, financial records, and proprietary data. On-premises deployments allow organizations to maintain control over their data but expose them to risks if servers are internet-facing or not properly secured. SharePoint integrates with other Microsoft products like Active Directory for authentication and uses ASP.NET for web application functionality, including cryptographic keys for session management.

Vulnerabilities in SharePoint can lead to severe consequences, including data exfiltration, lateral movement within networks, and deployment of persistent malware. Historical issues, such as those patched in July 2025, highlight ongoing challenges with deserialization and authentication bypasses.

CVE-2025-53770 exacerbates these risks by enabling unauthenticated remote code execution, bypassing protections like multi-factor authentication.

Technical Details of CVE-2025-53770

CVE-2025-53770 is classified under CWE-502, involving deserialization of untrusted data.

The vulnerability resides in the /_layouts/15/ToolPane.aspx endpoint, where malicious input can be injected to trigger deserialization.

Attackers exploit this by sending crafted POST requests with payloads that manipulate the HTTP Referrer header, often set to /_layouts/SignOut.aspx. No user interaction or authentication is required, making it highly exploitable over the network.

The exploit allows extraction of ASP.NET MachineKey configurations, including ValidationKey and DecryptionKey, from server memory or files.

These keys are used to generate valid __VIEWSTATE payloads via tools like ysoserial, enabling persistent remote code execution even after initial patching.

The Common Vulnerability Scoring System (CVSS) assigns a base score of 9.8, reflecting high severity due to low attack complexity and no privileges needed.

This issue is a patch bypass for CVE-2025-49706, an authentication bypass flaw, and relates to CVE-2025-49704, a code injection vulnerability. Together, they form variants of the ToolShell chain, first demonstrated at Pwn2Own Berlin in May 2025. 47 Microsoft Defender Vulnerability Management records now include CVSS scores and zero-day flags for these CVEs across affected versions. 55

The ToolShell Campaign: Exploitation Details

The ToolShell campaign involves chaining vulnerabilities to achieve unauthenticated RCE. 43 Exploitation begins with a single request to the ToolPane.aspx endpoint, exploiting HTTP Referer header manipulation for bypass.

Attackers then upload webshells like spinstall0.aspx (SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514) to steal MachineKeys. 23 This file is often placed in paths such as /_layouts/15/ or Web Server Extensions directories.

Post-exploitation includes deploying persistent backdoors, extracting sensitive data, and lateral movement. 43 Known indicators include IP addresses 107.191.58.76, 104.238.159.149, 96.9.125.147, and user agents mimicking Firefox 120.0.

Exploitation patterns show attacks occurring around July 18-19, 2025, with POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit

Scans reveal over 65,400 exposed servers on ZoomEye and 205,000 on FOFA, with the U.S. having the highest exposure at 3,043 instances.

Compromises have been confirmed in sectors like federal agencies, energy, and telecom, with exploitation leading to full system control.

Impact on Organizations and Affected Versions

Successful exploitation grants access to file systems, internal configurations, and enables code execution. Stolen keys allow forged tokens, surviving patches and reboots.

SharePoint Online is not impacted.

Affected products:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016 55 Unsupported versions like SharePoint Server 2010 and 2013 may show similar risks.

The campaign has affected over 50 breaches, including European government agencies and U.S. state legislatures. Federal enterprises face significant risks, prompting CISA action.

Patches and Mitigation Strategies

Microsoft has provided patches:

  • SharePoint Server Subscription Edition: KB5002768, build 16.0.18526.20508
  • SharePoint Server 2019: KB5002754, build 16.0.10417.20037
  • SharePoint Server 2016: Patch pending, check MSRC for updates. \

A related spoofing vulnerability, CVE-2025-53771, is also patched in these updates, providing robust protections over CVE-2025-49706.

Mitigations include:

  • Enable Antimalware Scan Interface (AMSI) in Full Mode, default since September 2023 updates.
  • Deploy Microsoft Defender Antivirus on all servers.
  • Rotate ASP.NET MachineKeys post-update using Update-SPMachineKey PowerShell cmdlet or Central Administration job, followed by IIS restart.
  • Deploy Microsoft Defender for Endpoint for post-exploit detection.
  • Disconnect internet-facing servers if AMSI cannot be enabled.

Upgrade to supported versions if using older editions.

Detection and Incident Response

Detection involves monitoring for:

  • POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Creation of spinstall0.aspx in layout directories
  • Suspicious w3wp.exe spawning encoded PowerShell

Microsoft Defender alerts include web shell installation and suspicious IIS behavior. Use Advanced Hunting queries like:

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-49706","CVE-2025-53770")

YARA and Sigma rules detect webshells and exploitation artifacts. Conduct compromise assessments, especially for external-facing servers.

CISA urges prioritization under BOD 22-01.

Broader Implications and Recommendations

This vulnerability underscores the need for rapid patching and key rotation in SharePoint environments. Organizations should implement logging, intrusion prevention, and threat hunting. Enforce MFA, educate on phishing, and segment networks.

For detection, use tools like Microsoft Defender and follow vendor advisories. The campaign highlights evolving threats, potentially involving state actors.

References

  • National Vulnerability Database (NVD): CVE-2025-53770 Detail
    https://nvd.nist.gov/vuln/detail/CVE-2025-53770
  • Microsoft Security Response Center: Customer Guidance for SharePoint Vulnerability CVE-2025-53770
    https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
  • CVE Record: CVE-2025-53770
    https://www.cve.org/CVERecord?id=CVE-2025-53770
  • CISA Known Exploited Vulnerabilities Catalog
    https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • Microsoft Security Update Guide
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
  • Eye Security: SharePoint Under Siege: ToolShell Campaign
    https://research.eye.security/sharepoint-under-siege/
  • CISA Alert: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)
    https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770