Executive Summary

On July 19, 2025, Microsoft released an emergency advisory for CVE-2025-53770, a critical remote code execution vulnerability affecting on-premise SharePoint servers. With a CVSS score of 9.8 and active zero-day exploitation already underway, this vulnerability represents one of the most severe SharePoint security incidents in recent memory.

The vulnerability stems from improper deserialization of untrusted data in the ToolPane.aspx endpoint. When combined with the authentication bypass in CVE-2025-53771, attackers can achieve unauthenticated remote code execution—the worst-case scenario for any enterprise application. Within 72 hours of a proof-of-concept becoming publicly available, mass exploitation campaigns began targeting organizations worldwide.

What makes CVE-2025-53770 particularly dangerous is its post-exploitation impact. Attackers don't just execute code; they extract the server's cryptographic MachineKey configuration, enabling persistent access that survives patching. Organizations must not only apply patches but also rotate cryptographic keys and conduct thorough compromise assessments.

Key Findings

9.8
CVSS Score

Critical severity rating

72h
PoC to Exploitation

Time from disclosure to mass attacks

300K
Attack Attempts

Peak daily attempts observed

$100K
Pwn2Own Prize

Original discovery reward

Affected Systems and Patches

CVE-2025-53770 affects all on-premise SharePoint Server installations. SharePoint Online in Microsoft 365 is not impacted. Microsoft released patches addressing the vulnerability—organizations should apply these immediately.

ProductFixed BuildKB ArticleStatus
SharePoint Server Subscription Edition16.0.18526.20508KB5002768Patch Available
SharePoint Server 201916.0.10417.20037KB5002754Patch Available
SharePoint Enterprise Server 201616.0.5513.1001KB5002760Patch Available
SharePoint Online (Microsoft 365)N/AN/ANot Affected

ToolShell Attack Chain

1

Authentication Bypass (CVE-2025-53771)

Attackers send POST requests to /_layouts/15/ToolPane.aspx with a manipulated Referer header pointing to /_layouts/SignOut.aspx. This tricks SharePoint into treating the request as trusted, bypassing authentication checks entirely.

2

Remote Code Execution (CVE-2025-53770)

With authentication bypassed, attackers submit malicious serialized payloads in the POST request body. The vulnerable deserialization process executes embedded PowerShell commands server-side, achieving arbitrary code execution.

3

Persistence via Key Theft

Attackers deploy a web shell (spinstall0.aspx) and extract the server's ValidationKey and DecryptionKey from the MachineKey configuration. These cryptographic secrets enable forging authentication tokens and ViewState payloads indefinitely.

Exploitation Timeline

Technical Analysis

The root cause of CVE-2025-53770 lies in SharePoint's handling of serialized data within the ToolPane.aspx endpoint. This component, designed for SharePoint's web part management functionality, accepts serialized objects without adequate validation. When combined with the authentication bypass in CVE-2025-53771, the attack surface expands to unauthenticated remote attackers.

The authentication bypass exploits a logic flaw in how SharePoint processes the HTTP Referer header. By setting this header to /_layouts/SignOut.aspx, attackers trigger a code path intended for logout operations that inadvertently grants trust to the request. This represents a fundamental architectural weakness—authentication decisions should never rely on client-supplied headers.

What elevates this vulnerability from severe to catastrophic is the post-exploitation persistence mechanism. The extracted MachineKey values (ValidationKey and DecryptionKey) are symmetric cryptographic keys used to protect ViewState and authentication tokens. With these keys, attackers can forge valid authentication credentials independently, maintaining access even after the vulnerability is patched and the web shell removed.

Indicators of Compromise

Malicious IP Addresses

107.191.58.76, 104.238.159.149, 96.9.125.147 — observed in initial exploitation waves. Block at perimeter and investigate historical connections.

Web Shell Artifact

spinstall0.aspx deployed to \TEMPLATE\LAYOUTS\ directory. SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

Target Endpoint

POST requests to /_layouts/15/ToolPane.aspx or /_layouts/ToolPane.aspx with SignOut.aspx in the Referer header indicate exploitation attempts.

User-Agent String

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 — used in observed attacks, though easily modified.

Related Vulnerabilities

The original deserialization vulnerability discovered and demonstrated at Pwn2Own Berlin 2025. Microsoft patched this on July 8, 2025, but CVE-2025-53770 represents a bypass of those initial fixes.

The original authentication bypass component of the ToolShell chain. Patched alongside CVE-2025-49704 on July 8, 2025, but also bypassed in subsequent exploitation.

The authentication bypass component exploited alongside CVE-2025-53770. Uses the Referer header manipulation to bypass authentication. Patched in the July 19, 2025 emergency update.

Mitigation Strategies

1

Apply Security Updates Immediately

Install KB5002768 (Subscription Edition), KB5002754 (2019), or KB5002760 (2016) without delay. These patches address both the deserialization flaw and authentication bypass.

2

Conduct Compromise Assessment

Search for spinstall0.aspx or other anomalous ASPX files in the LAYOUTS directory. Review IIS logs for POST requests to ToolPane.aspx with suspicious Referer headers.

3

Rotate Cryptographic Keys

If compromise is suspected or confirmed, rotate the MachineKey configuration (ValidationKey and DecryptionKey). Without this step, attackers retain the ability to forge credentials.

4

Enable AMSI Integration

Microsoft recommends enabling AMSI (Antimalware Scan Interface) integration in SharePoint to detect malicious payloads during deserialization.

5

Deploy Endpoint Protection

Ensure Microsoft Defender or equivalent AV is deployed on all SharePoint servers with real-time protection enabled. Detection signatures for spinstall0.aspx are available.

6

Implement WAF Protection

Deploy web application firewall rules to detect and block exploitation attempts targeting ToolPane.aspx. Filter requests with suspicious Referer headers.

7

Restrict External Access

If external SharePoint access is not business-critical, restrict /_layouts/ endpoints to internal networks only using firewall rules or reverse proxy configuration.

The 72-Hour Window: Lessons for Enterprise Security

CVE-2025-53770 demonstrates the compression of the vulnerability lifecycle. From public PoC to mass exploitation in 72 hours leaves no room for traditional patch cycles. Organizations must: (1) maintain real-time vulnerability intelligence, (2) have pre-authorized emergency patching procedures, (3) deploy compensating controls like WAF while patching, and (4) assume breach and prepare for compromise assessment. The patch-bypass nature of this vulnerability also highlights that initial patches may be insufficient—continuous monitoring for new CVEs affecting the same component is essential.

How TR7 Protects Against SharePoint Exploitation

WAF Deserialization Rules

TR7's Web Application Firewall includes rules to detect and block deserialization attack patterns, including those targeting SharePoint endpoints.

Header Manipulation Detection

Advanced request inspection identifies suspicious header combinations, including Referer header manipulation used in authentication bypass attacks.

Access Control Policies

Granular access control rules can restrict access to sensitive administrative endpoints like /_layouts/ to authorized networks only.

Real-Time Threat Analytics

Continuous monitoring and alerting for exploitation attempts. Identify attack patterns and IOCs across your infrastructure.

Comprehensive Logging

Detailed request logging enables forensic analysis and compromise assessment. Correlate attack attempts with IOC intelligence.

Automated Threat Response

Automated blocking of known malicious IPs and attack patterns. Reduce time-to-mitigation from hours to seconds.

References & Sources

Comprehensive technical analysis of CVE-2025-53770 exploitation, including IOCs, attack timeline, and detection guidance. https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/

Official Microsoft customer guidance for CVE-2025-53770, including patch information and recommended mitigations. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Details on Cloudflare's emergency WAF rules and observed attack volume (300K attempts at peak). https://blog.cloudflare.com/cloudflare-protects-against-critical-sharepoint-vulnerability-cve-2025-53770/

Security team analysis of the ToolShell exploit chain and recommendations for security teams. https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/

Official National Vulnerability Database entry with CVSS scoring and technical details. https://nvd.nist.gov/vuln/detail/CVE-2025-53770

Cloud security perspective on CVE-2025-53770 and CVE-2025-53771, including detection strategies. https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k

Protect Your SharePoint Infrastructure

CVE-2025-53770 demonstrates that zero-day exploitation windows are compressing to days, not weeks. TR7's integrated security platform provides defense-in-depth against emerging threats targeting enterprise applications.

Explore WAF Protection