Two critical zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in on-premises Microsoft SharePoint servers are actively exploited using the ToolShell exploit chain. Microsoft has issued emergency patches and guidance to mitigate these bypass variants affecting specific SharePoint Server versions. #CVE202553770 #CVE202553771 #ToolShell
Keypoints
- Two zero-day vulnerabilities, CVE-2025-53770 (critical RCE) and CVE-2025-53771 (spoofing), affect on-premises Microsoft SharePoint Servers and are actively exploited in the wild.
- The vulnerabilities chain in the ToolShell exploit, allowing attackers to bypass authentication and execute remote code.
- These are bypass variants of earlier patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706), with new attack paths discovered after Microsoft’s July 2025 Patch Tuesday updates.
- The affected SharePoint versions include Subscription Edition (pre-KB5002768), Server 2019 (pre-16.0.10417.20027 / KB5002754), and Server 2016; SharePoint Online and unsupported 2010/2013 versions have different statuses.
- Attackers exploit the spoofing vulnerability to gain authenticated access, then deliver a malicious payload leading to the deployment of a stealthy ASPX web shell for persistent access.
- Critical cryptographic material is extracted from compromised servers enabling trusted unsigned payload execution via forged ViewState data, allowing remote code execution.
- Microsoft released emergency patches on July 21, 2025, and recommends immediate patching, AMSI enablement, key rotation, isolation of exposed servers, and monitoring of related IOCs for protection.
MITRE Techniques
- [T1210] Exploitation of Remote Services – The attacker exploits CVE-2025-53771 by sending a crafted POST request with a forged Referer header to bypass authentication. (‘crafted Referer header…to bypass authentication’)
- [T1059] Command and Scripting Interpreter – Execution of PowerShell commands spawned by w3wp.exe process after gaining access through the web shell spinstall0.aspx. (‘w3wp.exe spawning encoded PowerShell’)
- [T1078] Valid Accounts – Attackers obtain authenticated access by spoofing the Referer header to mimic legitimate SharePoint workflows. (‘bypass authentication by crafting a request that mimics a legitimate SharePoint workflow’)
- [T1214] Server Software Component – Exploitation of insecure deserialization vulnerability (CVE-2025-53770) in SharePoint server components to achieve remote code execution. (‘unsafe deserialization of untrusted data’)
- [T1566] Phishing (Indirectly related) – Attackers could use crafted requests to trick SharePoint authentication mechanisms through header spoofing. (‘header spoofing vulnerability in SharePoint’s request handling’)
- [T1608] Exploitation for Credential Access – Extraction of ValidationKey and DecryptionKey from the machineKey configuration for forging signed ViewState payloads. (‘extract sensitive cryptographic material…machineKey configuration’)
Indicators of Compromise
- [File Hash] Malicious web shell example – spinstall0.aspx SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- [File Name] ASPX web shell – spinstall0.aspx used for persistent access and exploitation
- [URLs] Exploited endpoints – POST to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and Referer header /_layouts/SignOut.aspx
- [Process Name] Malicious process – w3wp.exe spawning encoded PowerShell payloads
- [IP Addresses] Related attacker infrastructure – 107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147, 103.186.30[.]186
- [File Path] Deployment path for web shell – C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16TEMPLATELAYOUTSspinstall0.aspx