A new zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is being actively exploited in the wild, enabling attackers to achieve remote code execution on vulnerable systems without authentication.
No official patch exists at this time, prompting urgent mitigation action from system administrators.
The vulnerability, publicly disclosed yesterday, was identified by researchers at Eye Security during a live incident response on a customer’s on-premise SharePoint Server. It was later acknowledged by Microsoft and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog earlier today. The flaw is a variant of CVE-2025-49706, previously presented at Pwn2Own Berlin earlier this year, and forms part of an exploit chain dubbed “ToolShell.”
Microsoft SharePoint Server is a widely used enterprise platform for content management, team collaboration, and internal workflows. While SharePoint Online (Microsoft 365) is unaffected, all on-premises SharePoint installations are potentially vulnerable if exposed to the internet.
Observed exploitation activity
The exploitation was first detected on July 18, 2025, when Eye Security’s 24/7 monitoring team observed suspicious activity on a SharePoint instance. Anomalous behavior was linked to a stealthy .aspx payload (spinstall0.aspx) dropped via a POST request to the /_layouts/15/ToolPane.aspx?DisplayMode=Edit endpoint. The attackers leveraged a deserialization flaw (CWE-502) to achieve unauthenticated remote code execution (RCE), bypassing identity mechanisms such as MFA or ADFS.
This zero-day builds on the previously disclosed CVE-2025-49704 and CVE-2025-49706, combining them with a newly discovered authentication bypass using a crafted HTTP referer to _layouts/SignOut.aspx, found by researcher @irsdl. This subtle trick turned what was thought to be a proof-of-concept into a live, credential-less exploitation mechanism.
Exploitation of CVE-2025-53770 allows attackers to:
- Write arbitrary files (such as web shells) to the server.
- Exfiltrate MachineKey configuration (including ValidationKey and DecryptionKey).
- Craft valid __VIEWSTATE payloads using tools like ysoserial, enabling fully signed malicious requests.
- Execute arbitrary PowerShell commands remotely.
- Access SharePoint content, internal configurations, and even move laterally within the organization.
The dropped file, spinstall0.aspx, was used to extract cryptographic secrets. With this information, attackers can forge trusted tokens and execute further payloads undetected, even after a server has been patched, making post-exploitation remediation complex and critical.
According to Eye Security, mass exploitation began on July 18, with a second wave detected early on July 19. Scans across more than 8,000 SharePoint servers revealed dozens of active compromises, all using the same file paths and payloads. The malicious file is dropped at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx
Indicators of compromise include:
- Network traffic to /ToolPane.aspx and /spinstall0.aspx
- HTTP requests with Referer: /_layouts/SignOut.aspx
- Known IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147
- Malicious user-agent string matching Firefox/120.0
Mitigations and guidance
Microsoft has not released a patch, but recommends immediate mitigation through Antimalware Scan Interface (AMSI) integration, combined with Microsoft Defender AV, on all SharePoint servers. If AMSI cannot be enabled, Microsoft advises disconnecting vulnerable systems from the internet.
CISA reinforced these recommendations and additionally urges organizations to monitor for suspicious POSTs to /_layouts/15/ToolPane.aspx, scan for IoCs, particularly ASPX file access and known attacker IPs, update IPS/WAF rules to block exploit patterns, and rotate exposed ValidationKey/DecryptionKey values post-compromise.
Full logging must be implemented urgently, and admin access scopes must be reviewed. Any compromised systems should be isolated immediately.
Leave a Reply