Bulletin: Microsoft SharePoint On-Premises Exploitation

Widespread Exploitation of ToolShell RCE Vulnerability Observed in Microsoft SharePoint On-Premises (CVE-2025-53770)

This July, a widespread exploitation began against a critical zero-day vulnerability affecting on-premises versions of Microsoft SharePoint. As the situation is ongoing, we strongly recommend that any organisation running on-premises SharePoint review this security information, upgrade to the latest fixed versions, and apply all recommended mitigations. 

Summary

On July 19, 2025, Microsoft disclosed active exploitation of a zero-day vulnerability (CVE-2025-53770) affecting on-premises SharePoint Server instances. Originally, no patch was available for this vulnerability, but fixes were released late on the evening of July 20. CVE-2025-53770 is caused by the deserialization of untrusted data, allowing unauthenticated threat actors to execute code remotely over the network. It is a variant of CVE-2025-49706, a medium-severity flaw addressed in Microsoft’s July Patch Tuesday update. SharePoint Online in Microsoft 365 is not affected by this vulnerability. 

Independent reporting has identified exploitation affecting a number of organisations across government departments, multinational corporations, and organisations in the banking sector. Arctic Wolf observed exploitation attempts involving CVE-2025-53770 starting on July 18, 2025. CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog on July 20, 2025.

Independent reporting has identified exploitation affecting a number of organisations across government agencies, multinational corporations, and organisations in the banking sector. Arctic Wolf observed exploitation attempts involving CVE-2025-53770 starting on July 18, 2025. CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog on July 20, 2025 

In Microsoft’s original guidance, while no patch was available at the time of disclosure, they recommended configuring the Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Microsoft Defender Antivirus (Defender AV) across all SharePoint servers to block unauthenticated threat actors from exploiting CVE-2025-53770. 

Exploitation Details

The first public reporting on this activity was published by Eye Security, which, on the evening of July 18, began investigating what they initially believed to be exploitation of CVE-2025-49704 and CVE-2025-49706. These vulnerabilities were originally discovered during the Pwn2Own 2025 competition in May and are referred to collectively as “ToolShell.” Further investigation revealed the observed behavior was actually tied to a previously unknown zero-day vulnerability, later assigned CVE-2025-53770 by Microsoft. Shortly after, Palo Alto Networks' Unit 42 reported similar activity involving these vulnerabilities, with similar post-exploitation activities to the original reporting by Eye Security.

In Eye Security’s research, threat actors targeted internet-exposed, on-premises SharePoint servers by sending crafted POST requests to the /_layouts/15/ToolPane.aspx endpoint, using a spoofed Referer header set to /layouts/SignOut.aspx to bypass authentication. Once access was obtained, they deployed a malicious ASPX implant ( spinstall0.aspx) to extract cryptographic secrets—specifically the MachineKey and ValidationKey used to protect ASP.NET’s __VIEWSTATE. With these keys, the threat actors used the Ysoserial tool to generate forged, signed __VIEWSTATE payloads, enabling remote code execution and persistent access without needing valid credentials.

• Specifically, use of the /layouts/SignOut.aspx Referer seems to be the key that made the existing bug in CVE-2025-49706 exploitable without authentication, effectively making it a new vulnerability (CVE-2025-53770). This timing coincided with a security researcher posting on X in the early morning of July 18, demonstrating that using /layouts/SignOut.aspx as the Referer header could bypass authentication.
  
  

Recommendation

Upgrade to Latest Fixed Versions

Arctic Wolf strongly recommends that customers immediately upgrade to the latest fixed versions of SharePoint. 

Affected Version 
Microsoft SharePoint Server Subscription Edition

Security Update Link
Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center

Affected Version 
Microsoft SharePoint Server 2019

Security Update Link
Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002754) from Official Microsoft Download Center  

Affected Version 
Microsoft SharePoint Server 2016 

Security Update Link  
Not yet available. Microsoft is currently developing security updates for all supported versions of SharePoint, and recommends monitoring their blog post for the latest updates. 

Note: SharePoint Online in Microsoft 365 is not impacted by CVE-2025-53770. 

Enable AMSI Integration

If you are running a publicly exposed, on-premises instance of Microsoft SharePoint and have Defender AV installed, Arctic Wolf strongly recommends enabling AMSI integration in SharePoint and ensuring Defender AV is deployed across all SharePoint servers.

According to Microsoft, this mitigation will block unauthenticated threat actors from exploiting CVE-2025-53770. 

Disconnect On-Premises SharePoint Servers from the Public Internet

For customers unable to upgrade to the fixed version of SharePoint or apply AMSI (e.g., those not using Defender AV), Microsoft recommends disconnecting the server from the internet until a security update can be applied. 

Rotate SharePoint Server ASP.NET Machine Keys

If your organisation was running a publicly exposed, on-premises instance of Microsoft SharePoint before update applied, it is likely that your SharePoint instance was compromised. By exploiting CVE-2025-53770, threat actors can obtain encryption keys, allowing them to maintain access even if a web shell is removed. As a result, simply removing malicious artifacts may not fully eliminate the threat. If a compromise is detected, isolate the impacted server and rotate the SharePoint MachineKey to revoke the threat actor’s access. 

Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production. 

References

• • Microsoft Announcement: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
  • Eye Security Article: https://research.eye.security/sharepoint-under-siege/
  • Palo Alto Networks Unit 42 Advisory: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt
  • The Hacker News Article: https://thehackernews.com/2025/07/microsoft-releases-urgent-patch-for.html?m=1
  • PoC Screenshot: https://x.com/codewhitesec/status/1944743478350557232
  • Microsoft Advisory (CVE-2025-53770): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
  • Microsoft Advisory (CVE-2025-49706): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
  • Microsoft Advisory (CVE-2025-49704): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
  • CISA Adds CVE-2025-53770 to Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 

Article Information Source: Artic Wolf

If you need further advice or help contact us today: hello@coolspirit.co.uk