A newly discovered zero-day vulnerability, CVE-2025-53770, is actively exploited in Microsoft SharePoint Servers, posing a significant threat to organizations using on-premises SharePoint deployments. This critical flaw allows for remote code execution and could lead to a complete server takeover. Administrators need to take immediate action to mitigate the risk.
The Threat Landscape
The vulnerability CVE-2025-53770 is a variant of CVE-2025-49706, which is chained with CVE-2025-49704 in an attack known as “ToolShell.” Researchers initially demonstrated this attack at Pwn2Own in Berlin in May 2025. The current attacks involve placing a backdoor on SharePoint servers and stealing system security keys, granting attackers complete control.
Affected Products
This vulnerability impacts the following on-premises Microsoft SharePoint products:
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server Subscription Edition
Technical Analysis
The root cause of CVE-2025-53770 lies in the way SharePoint deserializes untrusted data. This can lead to unauthenticated remote code execution, requiring no user interaction. Attackers exploit this by injecting arbitrary code to execute commands before authentication. Once inside, they can forge trusted payloads using stolen machine keys to ensure persistence and enable lateral movement.
Specifically, attackers upload a file named “spinstall0.aspx” to steal the SharePoint server’s MachineKey configuration, which includes the ValidationKey and DecryptionKey. With these keys, attackers can craft fully valid, signed __VIEWSTATE payloads, leading to remote code execution.
Proof of Concept (PoC)
The initial attack activity was detected on July 18th, following an alert from an endpoint detection system indicating a suspicious process linked to a malicious .aspx file upload.
Server logs revealed that a POST request was made to the _layouts/15/ToolPane.aspx endpoint, using a spoofed Referer header set to /_layouts/SignOut.aspx. This behavior indicated the exploitation of a SharePoint authentication bypass that leads to remote code execution through a single HTTP request.
As part of the attack chain, threat actors upload a file named spinstall0.aspx, which is designed to extract sensitive server-side cryptographic keys, specifically the ValidationKey and DecryptionKey used by the ASP.NET framework. Once these keys are obtained, attackers can generate fully signed and trusted __VIEWSTATE payloads.
These payloads trigger remote code execution by exploiting how ASP.NET manages view state data between client and server. Suppose this data is not adequately secured or the server’s keys are exposed. In that case, attackers can craft malicious view states executed when the server deserializes, granting them complete control.
This exploit chain allows persistent, unauthenticated remote access to vulnerable SharePoint servers, making it a critical threat to affected organizations.
Tactics, Techniques, and Procedures (TTPs)
Attackers exploit this vulnerability to establish a backdoor and steal security keys, leading to a complete system takeover. The following MITRE ATT&CK tactics and techniques are relevant:
TA0003 – Persistence: Establishing a foothold on the system
TA0004 – Privilege Escalation: Gaining higher-level permissions
TA0005 – Defense Evasion: Avoiding detection
TA0006 – Credential Access: Stealing credentials for further access
TA0007 – Discovery: Gathering information about the system and network
TA0008 – Lateral Movement: Moving between systems within the network
TA0009 – Collection: Gathering data of interest
TA0010 – Exfiltration: Stealing data from the network
TA0011 – Command and Control: Establishing control over the compromised system
T1210 – Exploitation of Remote Services: Exploiting vulnerabilities to execute code
T1078 – Valid Accounts: Using compromised accounts for access
T1556 – Modify Authentication Process: Altering authentication mechanisms
T1550 – Steal or Forge Service Ticket: Creating malicious service tickets
T1213 – Data from Information Repositories: Accessing sensitive data
T1018 – Remote System Discovery: Discovering remote systems on the network
T1003 – OS Credential Dumping: Dumping credentials from the operating system
Indicators of Compromise (IoCs)
The following Indicators of Compromise (IoCs) can help detect if a SharePoint server has been compromised:
- Exploitation from IP address 107.191.58[.]76 (observed on July 18th)
- Exploitation from IP address 104.238.159[.]149 (observed on July 19th)
- Exploitation from IP address 96.9.125[.]147 (observed by Palo Alto Networks)
- Creation of the file C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx
- IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with an HTTP referer of _layouts/SignOut.aspx
Mitigation & Recommendations
To mitigate the risk of exploitation, Microsoft recommends the following actions:
- Install the latest SharePoint security updates. As of July 20, 2025, KB5002768 is available for Microsoft SharePoint Subscription Edition.
- Enable Antimalware Scan Interface (AMSI) integration in SharePoint.
- Deploy Defender AV on all SharePoint servers.
- If AMSI cannot be enabled, remove access to the internet from the SharePoint server.
- Rotate the SharePoint Server ASP.NET machine keys after applying security updates or enabling AMSI. This can be achieved via PowerShell using the
Update-SPMachineKeycmdlet, or manually via Central Admin by triggering the Machine Key Rotation timer job and restarting IIS on all SharePoint servers.
The CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, instructing all US federal civilian executive branch (FCEB) agencies to apply mitigations immediately.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.