NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Schedule a Demo
Threat and Exposure Research

URGENT ALERT: SharePoint Zero-Day CVE-2025-53770 Demands Immediate Action for On-Prem Servers

Abstract Tech Graphic

The clock is ticking for federal agencies, and a critical vulnerability in Microsoft SharePoint Servers, dubbed “ToolShell,” is actively being exploited globally. This isn’t just another patch – it’s a call to immediate action, requiring organizations with on-premise SharePoint to assume compromise and investigate deeply.

Description

A new and highly critical zero-day vulnerability, identified as CVE-2025-53770 (a variant and bypass of the previously reported CVE-2025-49706, linked to “ToolShell”), is being actively exploited in the wild. This flaw provides unauthenticated remote code execution (RCE) capabilities by bypassing Microsoft’s original patch. Attackers are exploiting a post-authentication deserialization flaw in SharePoint’s ASP.NET ViewState processing.

The attack typically involves uploading a crafted .aspx page (e.g., spinstall0.aspx) via legacy SOAP endpoints, invoking it to harvest machine keys, and then replaying signed ViewState payloads to run command shells or PowerShell download-cradles. Once inside, attackers are bypassing MFA/SSO, stealing cryptographic keys, exfiltrating sensitive data, planting persistent backdoors, and rapidly moving laterally across the broader Microsoft ecosystem.

Severity

  • CVSS Score: 9.8 (Critical)
  • Active Exploitation: This is a zero-day vulnerability actively being exploited in the wild. Initial exploitation scans were observed as early as July 16, escalating rapidly by July 17-18.
  • CISA KEV Catalog: The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring all U.S. federal civilian agencies to patch by end-of-day July 21.
  • Widespread Impact: Unspecified attackers have launched a global cyberattack, reportedly breaching U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company. Exploitation activity is currently concentrated in the United States, Germany, France, and Australia.
  • “Full Enterprise Breach”: Experts warn that a successful exploit of this flaw can turn one compromised SharePoint server into a “full enterprise breach,” as SharePoint’s deep integration allows rapid lateral movement to Teams, OneDrive, Outlook, Azure AD, Exchange, and Office applications.

Complexity

The exploit for this “ToolShell” flaw is described as requiring only “trivial modification of published ToolShell payloads,” making it accessible to a wide range of attackers. It actively bypasses Microsoft’s previous fixes for CVE-2025-49706, indicating an evolution in attacker techniques. Detection is also challenging as the malicious traffic often “presents as legitimate SharePoint user activity,” leading to high detection lag. Experts emphasize this is not a simple “patch and you’re done” situation, requiring immediate mitigation and extensive post-compromise investigation.

System Impacted

  • Vulnerable Systems: Only Microsoft SharePoint Server products (on-premise deployments) are affected.
  • Not Affected: SharePoint Online (Microsoft 365) users are NOT affected by this vulnerability.
  • Privilege Level: The arbitrary code execution occurs under the SharePoint service account, which typically holds local-system privileges and default database owner rights, granting extensive control.
  • Lateral Movement: Due to SharePoint’s tight integration, a foothold can quickly expose credentials, documents, meeting content, and email, enabling lateral movement to:
    • Teams
    • OneDrive
    • Outlook
    • Azure AD
    • Exchange
    • Other Office applications

Read More Resources & Immediate Actions

CISA and Microsoft strongly advise all organizations to apply emergency out-of-band patches and implement immediate mitigations. If your organization has on-premises Microsoft SharePoint exposed to the internet, assume compromise and initiate investigation.

  • CISA Advisory: Refer to CISA’s official advisories for the latest guidance and inclusion in the KEV catalog.
  • Microsoft’s Official Public Advisory: Released on July 19.
  • Apply Patches:
    • For SharePoint Server 2019, apply KB5002754.
    • For SharePoint Server 2016, disconnect affected public-facing products until a patch ships.
  • Mitigations & Remediation (Immediate and Ongoing):
    • Rotate ASP.NET machine keys (Update-SPMachineKey) after patching to invalidate stolen keys.
    • Enable Antimalware Scan Interface (AMSI) integration in SharePoint.
    • Deploy Microsoft Defender AV (or equivalent) with real-time scanning on all SharePoint Servers, especially Web Front Ends (WFEs) and application servers.
    • Hunt for Indicators of Compromise (IOCs):
      • Presence of spinstall0.aspx.
      • IIS POSTs to _layouts/15/ToolPane.aspx with referer _layouts/SignOut.aspx.
      • File events matching Microsoft’s Defender queries.
    • Forensic Imaging: For any potentially compromised hosts, full forensic imaging is required; simple file deletion is insufficient.

This is a critical situation demanding your immediate attention to protect your enterprise from a full-scale breach.




Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber thread exposure management system platform can organize your security chaos.