overview

CVE-2025-53770 is a critical unauthenticated remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server deployments. The flaw is caused by unsafe deserialization of untrusted data, which can be exploited through specially crafted HTTP POST requests to endpoints such as ToolPane.aspx in the SharePoint web interface, fully bypassing authentication.

Impact of Successful Exploitation:

  • Execution of arbitrary code on the SharePoint server.
  • Upload and execution of persistent web shells (e.g., aspx), enabling ongoing access and lateral movement.
  • Theft of cryptographic secrets, such as machine keys, used to generate authentication tokens and ViewState payloads.
  • Evasion of detection, as attacker actions are often disguised within legitimate SharePoint traffic, making identification difficult without in-depth endpoint and network monitoring.

Severity Metrics:

  • CVSS Score:8 (Critical)
  • EPSS:95, indicating a high likelihood of exploitation.

 

 

 

affected products and versions

Impacted Software: Microsoft SharePoint Server Subscription Edition (prior to the emergency patch), Microsoft SharePoint Server 2019 (prior to the emergency patch), and Microsoft SharePoint Server 2016 (patch pending as of July 21, 2025). SharePoint Online (Microsoft 365) is not impacted.

Patched/Mitigated Versions:

  • Emergency security updates released on July 19, 2025 for Subscription Edition and 2019.
  • SharePoint Server 2016 patch forthcoming as of July 21, 2025.

 

 

Threat status

Active Exploitation: Confirmed globally since at least July 18, 2025, with over 75 organizations compromised.

Attack Techniques:

  • Crafted HTTP POST requests to vulnerable SharePoint endpoints trigger unsafe deserialization.
  • Deployment of malicious ASPX web shells for command execution, credential theft, and persistent access.
  • Extraction and abuse of machine keys for forging authentication payloads and facilitating lateral movement.
  • Obfuscation of malicious activities within standard SharePoint network activity, complicating detection.

Targeted Industries:

  • Enterprise, healthcare, government, and financial organizations, particularly those using on-premises or hybrid SharePoint environments.

Incident Response Advisory: Patching must be accompanied by machine key rotation and thorough checks for unauthorized web shells and credential compromise, as cryptographic material theft may allow continued unauthorized access.

 

 

INDICATORS OF COMPROMISE (IOCS)

Use the following IOCs for threat detection and response in affected SharePoint environments, particularly in enterprise, healthcare, government, and financial sectors.

Network Indicators

  • Unusual POST requests to:
  • / _layouts /15/ToolPane.aspx?DisplayMode=Edit

Known Malicious IP Addresses

  • 191.58[.]76
  • 238.159[.]149
  • 9.125[.]147

File System Artifacts

  • spinstall0.aspx located in:
  • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\
  • Any newly created .aspx files under the \LAYOUTS\ directory

IIS Log Patterns

  • POST requests to /sites/*/_layouts/15/ToolPane.aspx
  • Suspicious Referer headers like /sites/*/_layouts/SignOut.aspx
  • GET requests to aspx with long Base64-encoded parameters

Process and Execution Artifacts

  • exe (IIS worker) spawning:
  • exe
  • exe
  • Other unexpected child processes

Ongoing Investigation: The attack landscape continues to evolve; organizations should monitor industry reporting and threat intelligence feeds (e.g., CISA KEV, Microsoft Security Advisories) for updated IOCs. Apply all available patches and rotate machine keys as recommended.

For tailored defense recommendations or assistance, contact your Avertium Service Delivery Manager or Account Executive.

 

 

MITRE ATT&CK ttPS

Kill Chain Phase

MITRE ID

Description

Initial Access

T1190

Exploit public-facing application via crafted deserialization payloads and ASPX web shells.

Execution

T1203, T1059

Remote code execution using deserialization, triggering PowerShell/C# interpreters.

Persistence

T1505.003, T1546

Web shells deployed for persistent backdoor access; event-triggered execution mechanisms.

Privilege Escalation

T1068

Exploitation through SharePoint process to escalate to SYSTEM/admin privileges.

Defense Evasion

T1556, T1070

Modifying authentication keys and removing logs to obscure attack traces.

Credential Access

T1003, T1550

OS credential dumping; use of forged or stolen session cookies for privilege escalation.

Discovery

T1018

Remote system discovery to identify targets for lateral movement.

Lateral Movement

T1078, T1210

Use of valid credentials/tokens and exploitation of remote services to move laterally.

Collection

T1213

Exfiltration of documents and sensitive SharePoint content repositories.

Exfiltration

T1041

Data exfiltration over command & control channels or web shell APIs.

Impact

T1486

Encryption of critical SharePoint or adjacent data for ransom or destructive purposes.

 

 

additional Recommendations + information

Immediate Mitigation Measures

  • Apply Microsoft patches (July 19, 2025) for:
    • SharePoint Subscription Edition (KB5002768)
    • SharePoint Server 2019 (KB5002754)
    • SharePoint Server 2016 (KB5002745 pending release for some customers).
  • Reconfigure network exposure:
    • Place internet-facing SharePoint servers behind firewalls or isolate on segmented networks until fully patched.
  • Disable nonessential features that rely on ViewState or custom deserialization until updates are applied.
  • Rotate ASP.NET machine keys in config files post-patch, as attackers may maintain access with stolen keys:
    • Update validation and decryption keys in each affected SharePoint site, then run iisreset.
  • Enable Microsoft Defender Antivirus and AMSI on SharePoint servers; operate in active mode to block exploit payloads and scripts.
  • If Defender/AMSI cannot be enabled, disconnect vulnerable/public-facing servers from the network until patching is complete.

Patch and System Monitoring

  • Confirm all SharePoint servers are updated to protected versions.
  • Validate that machine keys have been rotated and IIS restarted.
  • Monitor directories for new .aspx or web shell files and authenticate bypass attempts.
  • Employ vulnerability and asset discovery tools to flag unpatched systems and track remediation coverage.
  • Alert on suspicious POST requests and anomalous ViewState or serialization activity in endpoint/network logs.

Network Security Enhancements

  • Block known attack IP addresses and artifacts at firewalls and SharePoint server boundaries.
  • Deploy IDS/IPS solutions to inspect SharePoint traffic for exploit attempts or abnormal patterns.
  • Enforce network segmentation and isolate vulnerable hosts; monitor for lateral movement between critical systems.
  • Conduct compromise assessments on externally exposed SharePoint servers—search for web shells, machine key theft, and unusual process spawning by IIS.

 

 

ADDITIONAL SERVICE OFFERINGS


Threat Detection & Response (TDR)

 Avertium's TDR platform proactively identifies, alerts, and responds to threats like CVE-2025-53770 using integrated threat intelligence and XDR-informed processes. TDR affords continuous monitoring and rapid containment of exploitation attempts, particularly valuable during zero-day and active exploitation scenarios. 

Security Information and Event Management (SIEM)

Avertium's SIEM integration consolidates security telemetry from SharePoint and connected environments, using advanced analytics for early detection of behavior tied to unsafe deserialization attacks, privilege escalation, and lateral movement. This enables early alerting and comprehensive incident response. 

Microsoft Security Solutions

Expert support for Microsoft Defender XDR and Sentinel strengthens SharePoint defenses by deploying custom detection rules for unsafe deserialization, integrating threat intel, and enabling expert-driven 24/7 oversight and incident triage.

Security Assessments & Attack Surface Management (ASM)

Avertium conducts risk assessments and ASM engagements, pinpointing vulnerable SharePoint deployments, misconfigurations, and legacy exposures. Clients receive actionable guidance to remediate risks, rotate credentials, and maintain a minimized attack surface. 

Governance, Risk, and Compliance (GRC)

For regulated industries, Avertium's GRC services ensure compliance with security mandates, enhance policy frameworks, and prepare robust incident response documentation, helping organizations remain audit-ready amidst active threat scenarios. 



 

 

SUPPORTING DOCUMENTATION







 
Chat With One of Our Experts



remote code execution RCE Remote Code Execution (RCE) vulnerabilities Remote Code Execution vulnerabilities microsoft Microsoft Vulnerability Microsoft Office Critical Vulnerability Blog