A critical zero-day security vulnerability affecting on-premises Microsoft SharePoint servers was recently discovered and reported by multiple sources this past weekend.
This vulnerability is actively being exploited in the wild with no complete patch available for most SharePoint versions prior to the exploitation efforts attempted by multiple threat actors. The information below summarized the vulnerability and Indicators of Compromise (IOC) to search for if you believe you or your organization are affected.
If you think your organization is impacted by CVE-2025-53770, please contact our team at [email protected].
CVE-2025-53770 Summary
A critical zero-day vulnerability (CVE-2025-53770) in Microsoft SharePoint Server is being actively exploited by threat actors worldwide. At least 75 servers have been confirmed compromised — including U.S. federal, state and local agencies — with an additional 9,000 exposed SharePoint instances globally at risk. The vulnerability allows attackers to gain complete control of SharePoint servers without any authentication or user interaction.
Immediate Action Required: If you are running on-premises SharePoint servers, especially those accessible from the internet, you must consider implementing emergency mitigations immediately.
CVE-2025-53770 – What Happened?
- Attackers are exploiting a previously unknown vulnerability in SharePoint servers.
- This is known as a “zero day” attack because it targeted a previously unknown vulnerability.
- The attack allows complete takeover of SharePoint servers without requiring any login credentials.
- Government agencies, businesses, and institutions across the globe, including U.S. federal and state agencies, universities, energy companies, and an Asian telecom provider have been compromised.
CVE-2025-53770 – Assessing Risk and Impact
You are at risk if:
- You run SharePoint Server 2016, 2019, or Subscription Edition on your own servers (on-premises)
- Your SharePoint servers are accessible from the internet
- You have not yet implemented Microsoft’s emergency mitigations
You are NOT affected if:
- You use SharePoint Online as part of Microsoft 365 (cloud-based SharePoint)
- Your SharePoint servers are completely isolated from the internet
CVE-2025-53770 – Immediate Actions to Take
- Assume compromise if your SharePoint servers are internet-facing
- Enable Microsoft’s recommended security features (AMSI and Defender)
- If you cannot enable these protections, disconnect SharePoint from the internet immediately
- Begin incident response procedures to check for compromise
- Prepare to rotate all system secrets and credentials
CVE-2025-53770 – Technical Details
CVE: CVE-2025-53770 (and related CVE-2025-53771)
CVSS Score: 9.8 (Critical)
Attack Vector: Network
Authentication: None required
User Interaction: None required
Impact: Complete system compromise
The vulnerability involves deserialization of untrusted data in on-premises Microsoft SharePoint Server, allowing an unauthorized attacker to execute code over a network. CVE-2025-53770 provides more robust protections than CVE-2025-49704 (patched in July), while CVE-2025-53771 provides more robust protections than CVE-2025-49706.
CVE-2025-53770 – Attack Methodology
The attack, dubbed “ToolShell,” works through a simple process:
- Attacker sends a crafted POST request to /_layouts/15/ToolPane.aspx with a spoofed HTTP Referer header.
- This bypasses authentication and allows file upload without credentials.
- Attackers upload a file named “spinstall0.aspx,” which is used to steal the Microsoft SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey.
- With these keys, attackers can forge valid requests and maintain permanent access.
CVE-2025-53770 – Indicators of Compromise
File Indicators
Primary malicious file:
- Filename: spinstall0.aspx
- Location: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx
- SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
Network Indicators
Known attacker IP addresses:
- 107.191.58.76
- 104.238.159.149
- 96.9.125.147
HTTP Request Pattern:
- POST requests to: /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
- HTTP Referer: /_layouts/SignOut.aspx
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Additional File Hashes (from related attacks):
- 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
- b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70
- fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7
Download Security Updates:
- SharePoint Server 2019: KB5002754
- SharePoint Subscription Edition: KB5002768
- SharePoint Server 2016: No patch available yet – check Microsoft’s advisory for updates
References:
- Microsoft Security Response Center: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- CVE-2025-53770 Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- CVE-2025-53771 Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
CISA Advisory: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
