Two critical zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are actively exploited in on-premises Microsoft SharePoint Server environments, enabling remote code execution and unauthorized file placement. These exploits are linked to China-based threat actors targeting government, academic, energy, and telecommunications sectors. #ToolShell #CVE202553770 #CVE202553771 #LinenTyphoon #VioletTyphoon #Storm2603
Keypoints
- Two zero-day vulnerabilities, CVE-2025-53770 (9.8 CVSS) and CVE-2025-53771 (6.5 CVSS), affect SharePoint Server 2016, 2019, and Subscription Edition on-premises deployments, but not SharePoint Online.
- The vulnerabilities enable unauthenticated remote code execution via deserialization of manipulated ViewState and path traversal for placing files outside restricted directories.
- The “ToolShell” attack chain involves these new vulnerabilities as evolved forms of previous flaws disclosed at the Pwn2Own event in 2024.
- Microsoft has observed exploitation by China-based nation-state actors named Linen Typhoon, Violet Typhoon, and Storm-2603.
- Exploitation targets include government agencies, universities, energy companies, and Asian telecom firms.
- Mitigations include immediate patching, cryptographic machine key rotation, enabling AMSI protection, network segmentation, and restricting server access.
- Indicators of Compromise include malicious ASPX web shells (e.g., spinstall0.aspx), several IPv4 addresses used as exploitation sources and command and control (C2) servers, and specific HTTP request paths used by attackers.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Attackers execute cmd.exe or powershell.exe with encoded instructions via deserialized ViewState payloads (“ViewState payloads then invoke cmd.exe or powershell.exe with encoded instructions”).
- [T1210] Exploitation of Remote Services – Exploitation of deserialization and path traversal vulnerabilities to execute remote code on SharePoint servers (“CVE-2025-53770: A deserialization vulnerability allowing unauthenticated RCE… CVE-2025-53771: A path traversal vulnerability that permits the attacker to place files outside of restricted directories”).
- [T1543] Create or Modify System Process – Modification of scheduled jobs and creation of privileged service accounts has been observed in compromised environments (“Threat actors have also been observed modifying scheduled jobs and creating privileged service accounts”).
- [T1083] File and Directory Discovery – Attackers place malicious ASPX web shells (e.g., spinstall0.aspx) in SharePoint directories to maintain persistence (“a malicious ASPX web shell (spinstall0.aspx) is uploaded to the server… allows persistent access”).
- [T1552] Unsecured Credentials – Extraction of the server’s MachineKey, including ValidationKey and DecryptionKey, enabling credential theft (“support credential theft by extracting the server’s MachineKey configuration”).
Indicators of Compromise
- [SHA-256 Hash] Malicious ASPX web shells and .NET modules – spinstall0.aspx hashes 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a0, 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0f, and others; test.txt hash b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93
- [IPv4 Address] Exploitation source IPs – 107.191.58[.]76, 104.238.159[.]149, and additional addresses related to attack campaigns
- [IPv4 Address] Command and Control servers – 96.9.125[.]147, 103.186.30[.]186
- [File Names] Malicious files created post-exploit – C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx, C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions16TEMPLATELAYOUTSdebug_dev.js
- [User-Agent Strings] Observed during exploit attempts – Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 and URL-encoded variant
- [HTTP Request Path] Exploit-triggering endpoints – /_layouts/15/ToolPane.aspx?DisplayMode=Edit, /_layouts/15/ToolPane.aspx?a=/ToolPane.aspx