Security teams are racing to address two newly discovered zero-day vulnerabilities in on-premises Microsoft SharePoint Server, CVE-2025-53770 and CVE-2025-53771. Dubbed the “ToolShell” exploit chain, these flaws allow attackers to bypass authentication and execute remote code, posing a serious risk for organizations managing their own SharePoint environments.
Inside the Vulnerabilities
CVE-2025-53770 (CVSS 9.8) is a remote code execution vulnerability rooted in the unsafe deserialization of untrusted data. CVE-2025-53771 (CVSS 6.3) is a spoofing bug that manipulates HTTP headers to bypass authentication. When exploited together, they provide attackers with privileged access and the ability to run arbitrary code on vulnerable servers.
Only on-premises deployments are affected; SharePoint Online (Microsoft 365) remains secure.
- CVE-2025-53771 enables initial access by forging a Referer header and bypassing authentication controls.
- CVE-2025-53770 is then used to execute malicious code via a deserialization flaw.
- Both vulnerabilities circumvent earlier patches (CVE-2025-49704 and CVE-2025-49706), necessitating new emergency updates.
Assessing Organizational Risk
Organizations running the following SharePoint Server versions are at risk if not fully patched:
- SharePoint Server Subscription Edition (before KB5002768)
- SharePoint Server 2019 (before version 16.0.10417.20027/KKB5002754)
- SharePoint Server 2016
- Legacy versions (2010, 2013) are also vulnerable, though unsupported
Cloud-hosted, self-managed SharePoint servers (on Azure, AWS, GCP) are susceptible. Research by Wiz indicates that 9% of cloud environments run at-risk SharePoint instances.
The ToolShell Exploit Chain in Action
The “ToolShell” attack method has been observed in real-world campaigns. Here’s a breakdown:
- Authentication Bypass (CVE-2025-53771): Attackers send a POST request with a manipulated Referer header, fooling the server into granting access.
- Remote Code Execution (CVE-2025-53770): Armed with access, attackers exploit the deserialization bug to upload a malicious ASPX web shell (such as
spinstall0.aspx
). - Key Extraction: Using the web shell, attackers extract cryptographic keys, enabling the creation of valid, signed payloads.
- Persistent Access: With these keys, malicious ViewState payloads can be generated, allowing ongoing code execution without authentication.
Signs of compromise include unusual POST requests, the presence of spinstall0.aspx
, suspicious PowerShell activity, and attack-linked IP addresses.
Exploitation Timeline
Researchers showcased this exploit at Pwn2Own Berlin in May 2025. Despite Microsoft’s July 9th patches, attackers swiftly bypassed the fixes. Exploitation began by July 18, 2025, prompting immediate advisories and emergency patches from Microsoft and security authorities.
Essential Response Steps for Security Teams
- Patch without delay: Apply KB5002768 (Subscription Edition) and KB5002754 (2019); monitor for 2016 updates.
- Isolate or upgrade: Unsupported versions (2010, 2013) should be taken offline or upgraded.
- If patching is delayed:
- Disconnect affected servers from the internet
- Enable AMSI in Full Mode
- Rotate ASP.NET Machine Keys after patching
- Restart IIS
- If servers were exposed, assume compromise, engage incident response and monitor for IOCs
Key Takeaway
The emergence of CVE-2025-53770 and CVE-2025-53771 highlights the urgent need for proactive patching, vigilant monitoring, and the use of advanced security platforms. Legacy and self-managed SharePoint environments demand immediate action to reduce risk from these sophisticated threats.
Zero-Day SharePoint Vulnerabilities: How to Protect Your Organization Now