CVE-2025-53770, known as ToolShell, is a critical zero-day vulnerability allowing unauthenticated attackers to execute remote code on on-premises Microsoft SharePoint servers by exploiting insecure deserialization and stolen cryptographic keys. Zscaler Deception has detected active exploitation prior to public advisories, highlighting the urgency for organizations to apply patches, enable AMSI, rotate machine keys, and deploy zero trust solutions. #CVE202553770 #ToolShell #ZscalerDeception
Keypoints
- CVE-2025-53770 affects on-premises SharePoint Server 2016, 2019, and Subscription Edition 23H2 or later, but not SharePoint Online.
- The vulnerability exploits insecure deserialization in SharePoint’s server-side components, enabling unauthenticated remote code execution.
- ToolShell attack chain includes CVE-2025-49706 and CVE-2025-49704, which remove the need for ValidationKey access limitations by stealing cryptographic secrets.
- Public proof-of-concept and active exploitation were observed by Zscaler days before official advisories.
- Zscaler Deception employs SharePoint decoys to detect attacks early and can stop lateral movement within networks using integration with Zscaler Private Access (ZPA).
- Microsoft and Zscaler recommend immediate patching, enabling AMSI, rotating machine keys, and leveraging zero trust architectures to mitigate the risk.
- Monitoring unusual ViewState payloads and server logs is essential to detect possible exploitation attempts.
MITRE Techniques
- [T1221] Template Injection – Attackers exploit insecure deserialization of .aspx files to inject malicious payloads into SharePoint’s server-side processing (“…trigger deserialization by downloading a crafted .aspx file intended to steal cryptographic secrets…”).
- [T1550] Use of Valid Accounts – Attackers forge signed __VIEWSTATE payloads using stolen ValidationKey to bypass authentication mechanisms (“…forge signed __VIEWSTATE payloads with tools like ysoserial…”).
- [T1059] Command and Scripting Interpreter – Execution of arbitrary commands through crafted ViewState payloads processed by the server (“…ysoserial.exe -p ViewState -g TypeConfuseDelegate -c “echo RCE > c:/windows/temp/SP_RCE.txt”…”).
- [T1005] Data from Local System – Extraction of cryptographic secrets (ValidationKey) from server memory or configuration files (“…steal cryptographic secrets, including the ValidationKey. These secrets can be extracted from the server’s memory or from configuration files…”).
- [T1218] Signed Binary Proxy Execution – Use of SharePoint legitimate processes and paths to execute malicious payloads (“…a SharePoint flaw allows unauthenticated access to the path /_layouts/15/ToolPane.aspx …”).
Indicators of Compromise
- [IP Addresses] sources of exploit attempts detected by Zscaler – 213.130.140.84, 154.47.29.41, and other IPs involved in active exploitation.
- [File Names] malicious payloads crafted as .aspx files – toolpane.aspx (used for triggering deserialization), ysoserial-generated ViewState payloads.
- [Configuration Keys] ValidationKey and DecryptionKey – stolen cryptographic secrets used for payload signing and exploitation.