Threat Alert: CVE-2025-53770 – The SharePoint Zero-Day Threat You Can't Ignore
Back to top
July 28, 2025
Threat Alert: CVE-2025-53770 – The SharePoint Zero-Day Threat You Can't Ignore
A new set of critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, has emerged, actively targeting on-premises Microsoft SharePoint Server environments. CVE-2025-53770 has a CVSS v3.1 base score of 9.8 (critical), this zero-day Remote Code Execution (RCE) flaw is not just a theoretical risk; it's being actively exploited in widespread attacks. This pair of vulnerabilities allows unauthenticated attackers to seize full control of affected servers, steal cryptographic keys, and establish persistent backdoors.
First detected on July 18, 2025, as part of the "ToolShell" attack chain, this vulnerability has rapidly impacted hundreds of organizations globally across critical sectors like government, healthcare, and finance. Microsoft has released emergency patches, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate remediation for federal agencies.
More than 400 Organizations Impacted Globally
Initial reports indicated that the large-scale cyberattack led to the compromise of at least 75 company servers, including major corporations and US government agencies. However, follow-up scans conducted by Eye Security quickly expanded the estimated number of victim organizations to over 400 globally. Experts from Eye Security have cautioned that this figure is likely an underestimation, stating that the "actual number is almost certainly higher" because not all attack methods leave detectable traces. This implies that many organizations may be compromised without immediate detection, necessitating a proactive "assume compromise" stance for any internet-exposed SharePoint server.
The widespread nature of the threat is also evidenced by Eye Security's scan of over 8,000 internet-connected SharePoint servers, which revealed that hundreds remained exposed. Even self-managed SharePoint Server instances hosted in cloud environments (e.g., on Azure, AWS, or GCP) are vulnerable, with data suggesting that 9% of cloud environments have resources running susceptible versions. The sheer volume of attempted exploitation is highlighted by Cloudflare, which observed a significant peak of approximately 300,000 HTTP request matches for the vulnerability around July 22, indicating widespread automated scanning and exploitation attempts globally.
Industry Sectors Under Attack
The ToolShell campaign has demonstrated a broad impact across various critical sectors globally. While the identity of specifically impacted entities has been withheld, certain U.S. government agencies have been publicly identified as affected. Known affected industries include:
- Government
- Department of Energy (DOE) - publicly identified
- National Nuclear Security Administration (NNSA) - publicly identified
- Healthcare
- Finance and banking
- Education, including academic institutions
- Manufacturing
- Energy providers
- Telecommunications in Asia
The consistent targeting of such diverse yet critical sectors indicates that the threat actors perceive SharePoint servers as high-value targets. These platforms typically host sensitive data (e.g., internal documents, intellectual property, patient records) and act as central collaboration hubs, which can serve as a gateway to broader network access. This targeting reinforces the need for organizations within these sectors to prioritize SharePoint security and implement robust defense mechanisms.
The Threat Explained: What is ToolShell?
CVE-2025-53770 is a critical RCE vulnerability stemming from insecure deserialization of untrusted data within SharePoint. It's a bypass of previously patched flaw CVE-2025-49704, demonstrating attackers' ability to circumvent initial fixes.
The "ToolShell" exploit chain combines CVE-2025-53770 with CVE-2025-53771, an authentication bypass, to upgrade the RCE to an unauthenticated RCE. This allows attackers to gain initial access without credentials. Attackers only need to send a POST request containing a serialized payload that the server then executes.
Once authenticated, they deploy a malicious ASPX file (commonly spinstall0.aspx) to extract sensitive cryptographic keys (ValidationKey and DecryptionKey) from the server's machineKey configuration. With these stolen keys, attackers can then forge valid __VIEWSTATE payloads, enabling persistent remote code execution even if initial web shells are removed or patches are applied.
Affected Versions: SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition are vulnerable. Even unsupported SharePoint Server 2010 and 2013 are susceptible. SharePoint Online (Microsoft 365) is not impacted, but self-managed SharePoint instances in cloud environments are.
Who Are The Threat Actors Behind It?
Emerging analysis has linked the initial ToolShell exploitation campaign to a China-based threat actor. Google Cloud's Mandiant Consulting specifically attributes some of the earliest observed attacks to at least one China-nexus group.
The exploitation of ToolShell has been attributed by Microsoft to three distinct China-based threat actor groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Linen Typhoon and Violet Typhoon are both identified as state-backed Advanced Persistent Threat (APT) groups, primarily focused on espionage and intellectual property theft, with a history of exploiting vulnerabilities in exposed web infrastructure to steal MachineKeys and establish persistent access.
In contrast, Storm-2603 has been observed leveraging these same SharePoint vulnerabilities for financially motivated objectives, specifically deploying ransomware, including Warlock and Lockbit, since July 18, 2025. Since the exploit chain enables RCE these attackers may simply encrypt the SharePoint server’s resources. This diverse involvement, particularly following the public availability of a Proof-of-Concept (PoC) exploit, indicates a rapid commoditization of the vulnerability, attracting a broad spectrum of adversaries from nation-state actors to cybercriminals.
The widespread nature of the vulnerability's exploitation indicates that a broad spectrum of adversaries, ranging from "petty cybercriminals to nation-state APT groups," have since taken advantage of the vulnerability chain.
MITRE ATT&CK Mapping of Techniques Used
Understanding the adversary's tactics, techniques, and procedures (TTPs) is crucial for defense. Here's how the ToolShell exploit maps to the MITRE ATT&CK framework:
Tactic | Technique ID | Technique Name | Description and Context | Source |
---|---|---|---|---|
Initial Access | T1190 | Exploit Public-Facing Application | Threat actors exploited CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE‑2025-53771 to compromise on-premises Microsoft SharePoint servers. | https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ |
Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | The deployed webshells execute attacker-supplied commands via cmd.exe and PowerShell, often encoded. | https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k |
Persistence | T1505.003 | Server Software Component: Web Shell | Threat actors deployed malicious webshells (e.g., spinstall0.aspx) to compromised servers for persistent access. | https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k, https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Persistence | T1550 | Steal or Forge Service Ticket | Attackers steal cryptographic keys (ValidationKey, DecryptionKey) to forge valid __VIEWSTATE payloads, enabling persistent RCE. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint, https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/, https://arcticwolf.com/resources/blog/cve-2025-53770/ |
Credential Access | T1003 | OS Credential Dumping | Threat actors perform credential access by targeting LSASS memory to extract plaintext credentials using tools like Mimikatz. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ |
Credential Access | T1078 | Valid Accounts | Compromised accounts or forged authentication tokens (via stolen keys) are used for continued access. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/ |
Defense Evasion | T1556 | Modify Authentication Process | The Referer header spoofing bypasses SharePoint's authentication and form digest validation. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint, https://arcticwolf.com/resources/blog/cve-2025-53770/ |
Discovery | T1018 | Remote System Discovery | Attackers gather information about remote systems on the network. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/ |
Lateral Movement | T1210 | Exploitation of Remote Services | Exploiting vulnerabilities to execute code on remote systems. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/ |
Lateral Movement | T1021.006 | Remote Services: Windows Management Instrumentation | Lateral movement is achieved using tools like PsExec and Impacket, executing commands via WMI. | https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ |
Collection | T1005 | Data from Local System | The deployed webshells enable attackers to extract information from the compromised systems. | https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/ |
Collection | T1213 | Data from Information Repositories | Attackers access sensitive data from SharePoint's content and configurations. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/ |
Command and Control | TA0011 | Command and Control | Establishing and maintaining control over the compromised system through persistent access mechanisms. | https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/ |
Indicators of Compromise (IOCs)
Indicators of Compromise (IOCs) are crucial for detecting past or ongoing exploitation of CVE-2025-53770. Monitoring for these artifacts and network activities can help organizations identify compromised systems and initiate appropriate incident response measures. This table serves as a quick reference for security operations teams to enhance their detection capabilities.
Type of IOC | Indicator | Description and Context | Source |
---|---|---|---|
File Indicators | spinstall0.aspx (or variants: spinstall.aspx, spinstall1.aspx, spinstall2.aspx) | Malicious ASPX file dropped by attackers to facilitate key extraction and persistence. | https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k |
File Indicators | SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | SHA256 hash associated with the spinstall0.aspx webshell. | https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k |
File Indicators | File Path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\spinstall0.aspx or C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx | Common deployment paths for the malicious ASPX file. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Network Indicators | Referer: /_layouts/SignOut.aspx (or /layouts/15/signout.aspx) | HTTP Referer header used in crafted POST requests to bypass authentication. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Network Indicators | POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit | Target endpoint for the initial authentication bypass and payload delivery. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Network Indicators | GET request to /_layouts/15/spinstall0.aspx | Observed requests to the deployed malicious ASPX file. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Network Indicators | GET request to /_layouts/15/success.aspx?__VIEWSTATE=<malicious_payload> | Endpoint used for remote code execution via forged __VIEWSTATE payloads. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Network Indicators | Observed Attacking IP Addresses: 96.9.125[.]147 107.191.58[.]76 104.238.159[.]149 139.59.11[.]66 154.223.19[.]106 103.151.172[.]92 45.191.66[.]77 83.136.182[.]237 162.248.74[.]92 38.54.106[.]11 206.166.251[.]228 45.77.155[.]170 64.176.50[.]109 149.28.17[.]188 173.239.247[.]32 109.105.193[.]76 2.56.190[.]139 141.164.60[.]10 124.56.42[.]75 103.186.30[.]186 | IP addresses observed conducting exploitation attempts. Note: This list is not exhaustive and may expand. | https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/ |
Process Indicators | w3wp.exe spawning encoded PowerShell commands | SharePoint worker process (w3wp.exe) initiating suspicious PowerShell activity, often encoded. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Process Indicators | w3wp.exe spawning cmd.exe | SharePoint worker process initiating a command shell for further execution. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Process Indicators | cmd.exe spawning powershell.exe | Typical command chain observed for executing attacker-supplied commands. | https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint |
Collection | T1213 | Data from Information Repositories | Attackers access sensitive data from SharePoint's content and configurations. |
Command and Control | TA0011 | Command and Control | Establishing and maintaining control over the compromised system through persistent access mechanisms. |
What You Need to Do: Mitigation and Remediation
Given the critical nature and active exploitation of CVE-2025-53770, immediate and comprehensive mitigation and remediation strategies are imperative for all organizations utilizing on-premises SharePoint Server deployments.
Immediate Actions
- Apply the Latest Security Updates: Microsoft has released emergency patches to address CVE-2025-53770 and CVE-2025-53771. Organizations must apply these updates immediately. Specific Knowledge Base (KB) articles include KB5002768 for SharePoint Server Subscription Edition and KB5002754 for SharePoint Server 2019 (version 16.0.10417.20027).
- Enable Antimalware Scan Interface (AMSI) Integration: Configure AMSI integration in SharePoint and ensure Microsoft Defender Antivirus (Defender AV) is deployed across all SharePoint servers. This can help block unauthenticated threat actors from exploiting the vulnerability.
- Deploy Microsoft Defender for Endpoint: Utilize Defender for Endpoint to detect and block post-exploit activity and monitor for suspicious file creation, such as spinstall0.aspx.
- Isolate or Disconnect from the Internet: If AMSI cannot be enabled or patches cannot be applied immediately, Microsoft strongly recommends disconnecting vulnerable SharePoint servers from the internet. This serves as a critical temporary measure to prevent further exploitation.
Post-Compromise Actions
Any organization running a publicly exposed, on-premises instance of Microsoft SharePoint should assume compromise (given the widespread nature of the exploitation) and execute the following actions:
- Isolate Suspected Compromised Servers: Immediately isolate any suspected compromised servers to prevent further malicious activity and lateral movement within the network.
- Engage Incident Response Teams: A thorough incident response investigation is essential to determine the full scope of the compromise, identify any data exfiltration, and ensure complete eradication of the threat. This should include forensic analysis to identify the initial access vector, lateral movement, and any deployed backdoors or persistence mechanisms.
- Revoke Credentials and Rotate Secrets: Any credentials or secrets that may have been exposed or stolen (e.g., via LSASS dumping) must be immediately revoked and rotated. This includes service accounts, administrator credentials, and any other sensitive information that could be leveraged for continued access.
- Rotate SharePoint Server ASP.NET Machine Keys: This is a paramount step. Since threat actors can steal ValidationKey and DecryptionKey to maintain persistent access even after patches are applied or web shells are removed, simply cleaning malicious artifacts is insufficient.3 Rotating these cryptographic keys will invalidate any forged__VIEWSTATE payloads and sever the attackers' persistent access.
- Audit and Reduce Privileges: Conduct a comprehensive audit of SharePoint user and application pool privileges, reducing them to the minimum necessary for operation.
ExtraHop RevealX
Relying solely on endpoint or perimeter defenses is insufficient. ExtraHop RevealX provides the critical visibility needed to detect and respond to threats that may originate from or traverse through third-party environments.
“Many organizations face critical visibility gaps, especially with encrypted traffic, where advanced threats like ToolShell operate in stealth. ExtraHop Reveal X combines continuous packet capture, out-of-band decryption, and cloud-scale machine learning to expose these hidden attacker actions leaving them nowhere to hide.”
Anthony James, Vice President of Product, ExtraHop
ExtraHop RevealX provides:
- Comprehensive Network Visibility: It offers agentless visibility across hybrid and multi-cloud environments, including encrypted traffic, ensuring no blind spots for attackers exploiting vulnerabilities or using compromised credentials. This is vital for detecting reconnaissance, lateral movement, and data exfiltration attempts.
- Behavioral Anomaly Detection: RevealX uses advanced machine learning to detect anomalous behaviors on the network that indicate compromise, such as unusual access patterns to OT/ICS devices, unexpected remote access, or suspicious data transfers, even if the initial access method was a simple password brute-force.
- Real-time Threat Intelligence Integration: By correlating network activity with threat intelligence, RevealX can flag known Iranian TTPs and indicators of compromise, providing immediate context for security teams.
- Accelerated Incident Response: High-fidelity alerts with rich network context enable security teams to quickly understand the scope of an intrusion, identify affected assets, and accelerate containment and remediation efforts, minimizing the attacker's dwell time.
- Continuous Packet Capture: Boost your detection accuracy and accelerate response workflows with immutable packet-level insights into network activity.
- Out-of-Band Decryption: Reveal credential abuse, privilege escalation, and malicious content in your network by decrypting data at up to 100 Gbps from more than 90 network and application protocols, without affecting performance.
- Cloud-Scale Machine Learning: Leverage unlimited compute power and continuous model tuning generates higher quality detections and fewer false positives.
Final Word
The technical intricacies of the exploit, particularly the authentication bypass via a spoofed Referer header and the "golden key" persistence mechanism through stolen ValidationKey and DecryptionKey, highlight that traditional patching alone is insufficient for complete remediation. Organizations must adopt a proactive and comprehensive security posture that includes immediate patching, rigorous application of recommended security controls and, critically, the rotation of SharePoint Server ASP.NET Machine Keys if they suspect any public exposure. More broadly, robust vulnerability management, continuous monitoring of network traffic for Indicators of Compromise, and a well-rehearsed incident response plan are essential to effectively counter this evolving threat.
Citations:
- Microsoft SharePoint zero-day breach hits 75 servers https://timesofindia.indiatimes.com/technology/tech-news/microsoft-sharepoint-zero-day-breach-hits-75-servers-heres-what-the-company-said/articleshow/122805393.cms
- Microsoft Issues Emergency Patches for Actively Exploited SharePoint Server Vulnerabilities https://www.hipaajournal.com/microsof-emergency-patches-sharepoint-server-vulnerabilities/
- ToolShell Campaign: New SharePoint Zero-Day (CVE-2025-53770) Triggers Widespread Exploitation - SOCRadar® Cyber Intelligence Inc. https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
- Mass attack spree hits Microsoft SharePoint zero-day defect - CyberScoop https://cyberscoop.com/microsoft-sharepoint-zero-day-attack-spree/
- Cloudflare protects against critical SharePoint vulnerability, CVE-2025-53770 https://blog.cloudflare.com/cloudflare-protects-against-critical-sharepoint-vulnerability-cve-2025-53770/
- CVE-2025-53770: Widespread Exploitation of ToolShell RCE Vulnerability Observed in Microsoft SharePoint On-Premises - Arctic Wolf https://arcticwolf.com/resources/blog/cve-2025-53770/
- Secure Everything You Build and Run in the Cloud - Wiz https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k
- Act Fast: New RCE Threat to SharePoint Users (CVE-2025-53770…) https://www.secpod.com/blog/act-fast-new-rce-threat-to-sharepoint-users-cve-2025-53770/
- ToolShell: An all-you-can-eat buffet for threat actors - WeLiveSecurity https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
- Microsoft SharePoint hack may have hit at least 400 organisations globally: Report https://timesofindia.indiatimes.com/technology/tech-news/microsoft-sharepoint-hack-may-have-hit-at-least-400-organisations-globally-report/articleshow/122862035.cms
- CVE-2025-53770: Critical Unauthenticated RCE in Microsoft …, https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
- Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Discover more
