• Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right

Threat Alert: CVE-2025-53770 – The SharePoint Zero-Day Threat You Can't Ignore

Share blog icon

Back to top

Back to top

July 28, 2025

Threat Alert: CVE-2025-53770 – The SharePoint Zero-Day Threat You Can't Ignore

A new set of critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, has emerged, actively targeting on-premises Microsoft SharePoint Server environments. CVE-2025-53770 has a CVSS v3.1 base score of 9.8 (critical), this zero-day Remote Code Execution (RCE) flaw is not just a theoretical risk; it's being actively exploited in widespread attacks. This pair of vulnerabilities allows unauthenticated attackers to seize full control of affected servers, steal cryptographic keys, and establish persistent backdoors.

First detected on July 18, 2025, as part of the "ToolShell" attack chain, this vulnerability has rapidly impacted hundreds of organizations globally across critical sectors like government, healthcare, and finance. Microsoft has released emergency patches, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate remediation for federal agencies.

More than 400 Organizations Impacted Globally

Initial reports indicated that the large-scale cyberattack led to the compromise of at least 75 company servers, including major corporations and US government agencies. However, follow-up scans conducted by Eye Security quickly expanded the estimated number of victim organizations to over 400 globally. Experts from Eye Security have cautioned that this figure is likely an underestimation, stating that the "actual number is almost certainly higher" because not all attack methods leave detectable traces. This implies that many organizations may be compromised without immediate detection, necessitating a proactive "assume compromise" stance for any internet-exposed SharePoint server.

The widespread nature of the threat is also evidenced by Eye Security's scan of over 8,000 internet-connected SharePoint servers, which revealed that hundreds remained exposed. Even self-managed SharePoint Server instances hosted in cloud environments (e.g., on Azure, AWS, or GCP) are vulnerable, with data suggesting that 9% of cloud environments have resources running susceptible versions. The sheer volume of attempted exploitation is highlighted by Cloudflare, which observed a significant peak of approximately 300,000 HTTP request matches for the vulnerability around July 22, indicating widespread automated scanning and exploitation attempts globally.

Industry Sectors Under Attack

The ToolShell campaign has demonstrated a broad impact across various critical sectors globally. While the identity of specifically impacted entities has been withheld, certain U.S. government agencies have been publicly identified as affected. Known affected industries include:

  • Government
  • Healthcare
  • Finance and banking
  • Education, including academic institutions
  • Manufacturing
  • Energy providers
  • Telecommunications in Asia

The consistent targeting of such diverse yet critical sectors indicates that the threat actors perceive SharePoint servers as high-value targets. These platforms typically host sensitive data (e.g., internal documents, intellectual property, patient records) and act as central collaboration hubs, which can serve as a gateway to broader network access. This targeting reinforces the need for organizations within these sectors to prioritize SharePoint security and implement robust defense mechanisms.

The Threat Explained: What is ToolShell?

CVE-2025-53770 is a critical RCE vulnerability stemming from insecure deserialization of untrusted data within SharePoint. It's a bypass of previously patched flaw CVE-2025-49704, demonstrating attackers' ability to circumvent initial fixes.

The "ToolShell" exploit chain combines CVE-2025-53770 with CVE-2025-53771, an authentication bypass, to upgrade the RCE to an unauthenticated RCE. This allows attackers to gain initial access without credentials. Attackers only need to send a POST request containing a serialized payload that the server then executes.

Once authenticated, they deploy a malicious ASPX file (commonly spinstall0.aspx) to extract sensitive cryptographic keys (ValidationKey and DecryptionKey) from the server's machineKey configuration. With these stolen keys, attackers can then forge valid __VIEWSTATE payloads, enabling persistent remote code execution even if initial web shells are removed or patches are applied.

Affected Versions: SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition are vulnerable. Even unsupported SharePoint Server 2010 and 2013 are susceptible. SharePoint Online (Microsoft 365) is not impacted, but self-managed SharePoint instances in cloud environments are.

Who Are The Threat Actors Behind It?

Emerging analysis has linked the initial ToolShell exploitation campaign to a China-based threat actor. Google Cloud's Mandiant Consulting specifically attributes some of the earliest observed attacks to at least one China-nexus group.

The exploitation of ToolShell has been attributed by Microsoft to three distinct China-based threat actor groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Linen Typhoon and Violet Typhoon are both identified as state-backed Advanced Persistent Threat (APT) groups, primarily focused on espionage and intellectual property theft, with a history of exploiting vulnerabilities in exposed web infrastructure to steal MachineKeys and establish persistent access.

In contrast, Storm-2603 has been observed leveraging these same SharePoint vulnerabilities for financially motivated objectives, specifically deploying ransomware, including Warlock and Lockbit, since July 18, 2025. Since the exploit chain enables RCE these attackers may simply encrypt the SharePoint server’s resources. This diverse involvement, particularly following the public availability of a Proof-of-Concept (PoC) exploit, indicates a rapid commoditization of the vulnerability, attracting a broad spectrum of adversaries from nation-state actors to cybercriminals.

The widespread nature of the vulnerability's exploitation indicates that a broad spectrum of adversaries, ranging from "petty cybercriminals to nation-state APT groups," have since taken advantage of the vulnerability chain.

MITRE ATT&CK Mapping of Techniques Used

Understanding the adversary's tactics, techniques, and procedures (TTPs) is crucial for defense. Here's how the ToolShell exploit maps to the MITRE ATT&CK framework:

TacticTechnique IDTechnique NameDescription and ContextSource
Initial AccessT1190Exploit Public-Facing ApplicationThreat actors exploited CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE‑2025-53771 to compromise on-premises Microsoft SharePoint servers.https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
ExecutionT1059.003Command and Scripting Interpreter: Windows Command ShellThe deployed webshells execute attacker-supplied commands via cmd.exe and PowerShell, often encoded.https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k
PersistenceT1505.003Server Software Component: Web ShellThreat actors deployed malicious webshells (e.g., spinstall0.aspx) to compromised servers for persistent access.https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k, https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
PersistenceT1550Steal or Forge Service TicketAttackers steal cryptographic keys (ValidationKey, DecryptionKey) to forge valid __VIEWSTATE payloads, enabling persistent RCE.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint, https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/, https://arcticwolf.com/resources/blog/cve-2025-53770/
Credential AccessT1003OS Credential DumpingThreat actors perform credential access by targeting LSASS memory to extract plaintext credentials using tools like Mimikatz.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Credential AccessT1078Valid AccountsCompromised accounts or forged authentication tokens (via stolen keys) are used for continued access.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/
Defense EvasionT1556Modify Authentication ProcessThe Referer header spoofing bypasses SharePoint's authentication and form digest validation.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint, https://arcticwolf.com/resources/blog/cve-2025-53770/
DiscoveryT1018Remote System DiscoveryAttackers gather information about remote systems on the network.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/
Lateral MovementT1210Exploitation of Remote ServicesExploiting vulnerabilities to execute code on remote systems.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/
Lateral MovementT1021.006Remote Services: Windows Management InstrumentationLateral movement is achieved using tools like PsExec and Impacket, executing commands via WMI.https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
CollectionT1005Data from Local SystemThe deployed webshells enable attackers to extract information from the compromised systems.https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
CollectionT1213Data from Information RepositoriesAttackers access sensitive data from SharePoint's content and configurations.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/
Command and ControlTA0011Command and ControlEstablishing and maintaining control over the compromised system through persistent access mechanisms.https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are crucial for detecting past or ongoing exploitation of CVE-2025-53770. Monitoring for these artifacts and network activities can help organizations identify compromised systems and initiate appropriate incident response measures. This table serves as a quick reference for security operations teams to enhance their detection capabilities.


Type of IOCIndicatorDescription and ContextSource
File Indicatorsspinstall0.aspx (or variants: spinstall.aspx, spinstall1.aspx, spinstall2.aspx)Malicious ASPX file dropped by attackers to facilitate key extraction and persistence.https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k
File IndicatorsSHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514SHA256 hash associated with the spinstall0.aspx webshell.https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k
File IndicatorsFile Path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\spinstall0.aspx or C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspxCommon deployment paths for the malicious ASPX file.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Network IndicatorsReferer: /_layouts/SignOut.aspx (or /layouts/15/signout.aspx)HTTP Referer header used in crafted POST requests to bypass authentication.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Network IndicatorsPOST request to /_layouts/15/ToolPane.aspx?DisplayMode=EditTarget endpoint for the initial authentication bypass and payload delivery.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Network IndicatorsGET request to /_layouts/15/spinstall0.aspxObserved requests to the deployed malicious ASPX file.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Network IndicatorsGET request to /_layouts/15/success.aspx?__VIEWSTATE=<malicious_payload>Endpoint used for remote code execution via forged __VIEWSTATE payloads.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Network IndicatorsObserved Attacking IP Addresses: 96.9.125[.]147 107.191.58[.]76 104.238.159[.]149 139.59.11[.]66 154.223.19[.]106 103.151.172[.]92 45.191.66[.]77 83.136.182[.]237 162.248.74[.]92 38.54.106[.]11 206.166.251[.]228 45.77.155[.]170 64.176.50[.]109 149.28.17[.]188 173.239.247[.]32 109.105.193[.]76 2.56.190[.]139 141.164.60[.]10 124.56.42[.]75 103.186.30[.]186IP addresses observed conducting exploitation attempts. Note: This list is not exhaustive and may expand.https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
Process Indicatorsw3wp.exe spawning encoded PowerShell commandsSharePoint worker process (w3wp.exe) initiating suspicious PowerShell activity, often encoded.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Process Indicatorsw3wp.exe spawning cmd.exeSharePoint worker process initiating a command shell for further execution.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
Process Indicatorscmd.exe spawning powershell.exeTypical command chain observed for executing attacker-supplied commands.https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
CollectionT1213Data from Information RepositoriesAttackers access sensitive data from SharePoint's content and configurations.
Command and ControlTA0011Command and ControlEstablishing and maintaining control over the compromised system through persistent access mechanisms.

What You Need to Do: Mitigation and Remediation

Given the critical nature and active exploitation of CVE-2025-53770, immediate and comprehensive mitigation and remediation strategies are imperative for all organizations utilizing on-premises SharePoint Server deployments.

Immediate Actions

  • Apply the Latest Security Updates: Microsoft has released emergency patches to address CVE-2025-53770 and CVE-2025-53771. Organizations must apply these updates immediately. Specific Knowledge Base (KB) articles include KB5002768 for SharePoint Server Subscription Edition and KB5002754 for SharePoint Server 2019 (version 16.0.10417.20027).
  • Enable Antimalware Scan Interface (AMSI) Integration: Configure AMSI integration in SharePoint and ensure Microsoft Defender Antivirus (Defender AV) is deployed across all SharePoint servers. This can help block unauthenticated threat actors from exploiting the vulnerability.
  • Deploy Microsoft Defender for Endpoint: Utilize Defender for Endpoint to detect and block post-exploit activity and monitor for suspicious file creation, such as spinstall0.aspx.
  • Isolate or Disconnect from the Internet: If AMSI cannot be enabled or patches cannot be applied immediately, Microsoft strongly recommends disconnecting vulnerable SharePoint servers from the internet. This serves as a critical temporary measure to prevent further exploitation.

Post-Compromise Actions

Any organization running a publicly exposed, on-premises instance of Microsoft SharePoint should assume compromise (given the widespread nature of the exploitation) and execute the following actions:

  • Isolate Suspected Compromised Servers: Immediately isolate any suspected compromised servers to prevent further malicious activity and lateral movement within the network.
  • Engage Incident Response Teams: A thorough incident response investigation is essential to determine the full scope of the compromise, identify any data exfiltration, and ensure complete eradication of the threat. This should include forensic analysis to identify the initial access vector, lateral movement, and any deployed backdoors or persistence mechanisms.
  • Revoke Credentials and Rotate Secrets: Any credentials or secrets that may have been exposed or stolen (e.g., via LSASS dumping) must be immediately revoked and rotated. This includes service accounts, administrator credentials, and any other sensitive information that could be leveraged for continued access.
  • Rotate SharePoint Server ASP.NET Machine Keys: This is a paramount step. Since threat actors can steal ValidationKey and DecryptionKey to maintain persistent access even after patches are applied or web shells are removed, simply cleaning malicious artifacts is insufficient.3 Rotating these cryptographic keys will invalidate any forged__VIEWSTATE payloads and sever the attackers' persistent access.
  • Audit and Reduce Privileges: Conduct a comprehensive audit of SharePoint user and application pool privileges, reducing them to the minimum necessary for operation.

ExtraHop RevealX

Relying solely on endpoint or perimeter defenses is insufficient. ExtraHop RevealX provides the critical visibility needed to detect and respond to threats that may originate from or traverse through third-party environments.

“Many organizations face critical visibility gaps, especially with encrypted traffic, where advanced threats like ToolShell operate in stealth. ExtraHop Reveal X combines continuous packet capture, out-of-band decryption, and cloud-scale machine learning to expose these hidden attacker actions leaving them nowhere to hide.”

Anthony James, Vice President of Product, ExtraHop

ExtraHop RevealX provides:

  • Comprehensive Network Visibility: It offers agentless visibility across hybrid and multi-cloud environments, including encrypted traffic, ensuring no blind spots for attackers exploiting vulnerabilities or using compromised credentials. This is vital for detecting reconnaissance, lateral movement, and data exfiltration attempts.
  • Behavioral Anomaly Detection: RevealX uses advanced machine learning to detect anomalous behaviors on the network that indicate compromise, such as unusual access patterns to OT/ICS devices, unexpected remote access, or suspicious data transfers, even if the initial access method was a simple password brute-force.
  • Real-time Threat Intelligence Integration: By correlating network activity with threat intelligence, RevealX can flag known Iranian TTPs and indicators of compromise, providing immediate context for security teams.
  • Accelerated Incident Response: High-fidelity alerts with rich network context enable security teams to quickly understand the scope of an intrusion, identify affected assets, and accelerate containment and remediation efforts, minimizing the attacker's dwell time.
  • Continuous Packet Capture: Boost your detection accuracy and accelerate response workflows with immutable packet-level insights into network activity.
  • Out-of-Band Decryption: Reveal credential abuse, privilege escalation, and malicious content in your network by decrypting data at up to 100 Gbps from more than 90 network and application protocols, without affecting performance.
  • Cloud-Scale Machine Learning: Leverage unlimited compute power and continuous model tuning generates higher quality detections and fewer false positives.

Final Word

The technical intricacies of the exploit, particularly the authentication bypass via a spoofed Referer header and the "golden key" persistence mechanism through stolen ValidationKey and DecryptionKey, highlight that traditional patching alone is insufficient for complete remediation. Organizations must adopt a proactive and comprehensive security posture that includes immediate patching, rigorous application of recommended security controls and, critically, the rotation of SharePoint Server ASP.NET Machine Keys if they suspect any public exposure. More broadly, robust vulnerability management, continuous monitoring of network traffic for Indicators of Compromise, and a well-rehearsed incident response plan are essential to effectively counter this evolving threat.

Citations:

  1. Microsoft SharePoint zero-day breach hits 75 servers https://timesofindia.indiatimes.com/technology/tech-news/microsoft-sharepoint-zero-day-breach-hits-75-servers-heres-what-the-company-said/articleshow/122805393.cms
  2. Microsoft Issues Emergency Patches for Actively Exploited SharePoint Server Vulnerabilities https://www.hipaajournal.com/microsof-emergency-patches-sharepoint-server-vulnerabilities/
  3. ToolShell Campaign: New SharePoint Zero-Day (CVE-2025-53770) Triggers Widespread Exploitation - SOCRadar® Cyber Intelligence Inc. https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
  4. Mass attack spree hits Microsoft SharePoint zero-day defect - CyberScoop https://cyberscoop.com/microsoft-sharepoint-zero-day-attack-spree/
  5. Cloudflare protects against critical SharePoint vulnerability, CVE-2025-53770 https://blog.cloudflare.com/cloudflare-protects-against-critical-sharepoint-vulnerability-cve-2025-53770/
  6. CVE-2025-53770: Widespread Exploitation of ToolShell RCE Vulnerability Observed in Microsoft SharePoint On-Premises - Arctic Wolf https://arcticwolf.com/resources/blog/cve-2025-53770/
  7. Secure Everything You Build and Run in the Cloud - Wiz https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k
  8. Act Fast: New RCE Threat to SharePoint Users (CVE-2025-53770…) https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/
  9. ToolShell: An all-you-can-eat buffet for threat actors - WeLiveSecurity https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
  10. Microsoft SharePoint hack may have hit at least 400 organisations globally: Report https://timesofindia.indiatimes.com/technology/tech-news/microsoft-sharepoint-hack-may-have-hit-at-least-400-organisations-globally-report/articleshow/122862035.cms
  11. CVE-2025-53770: Critical Unauthenticated RCE in Microsoft …, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
  12. Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
blog image
Blog author
Anthony James

Vice President, Product Management and Product Marketing

Share
LinkedIn logoX logoFacebook logo

Explore related articles

Experience RevealX NDR for Yourself

Schedule a demo