Security advisories

Microsoft Zero-Day Vulnerabilities CVE-2025-53770 & CVE-2025-53771

July 21, 2025 | 5 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

[UPDATE July 22, 2025]

Microsoft has disclosed two critical zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in SharePoint Server that are being actively exploited since July 18th, 2025. These vulnerabilities enable unauthenticated Remote Code Execution (RCE) and represent bypass methods for previously patched flaws (CVE-2025-49704 and CVE-2025-49706), from the July 2025 security updates. The exploitation chain, originally demonstrated as "ToolShell" at Pwn2Own Berlin, has been weaponized by threat actors, resulting in more than 85 compromised SharePoint servers affecting 54 organizations worldwide. Notably impacted entities include federal governments, health organizations, state institutions, energy sector operators, educational institutions, and financial technology companies, according to the security company Eye Security that first identified the attack. Microsoft notes that the vulnerabilities only apply to on-premises SharePoint servers, and do not impact SharePoint Online in Microsoft 365.

To mitigate the risk, Microsoft recommends installing the latest SharePoint security updates, enabling Antimalware Scan Interface (AMSI) integration, and deploying Microsoft Defender for Endpoint or equivalent EDR product on all SharePoint servers. For systems without available patches, administrators are advised to disconnect their SharePoint servers from the Internet. The exploitation involves attackers uploading a malicious file named "spinstall0.aspx" to steal the server's MachineKey configuration, which allows them to execute remote code. CISA has added CVE-2025-53770 to its Known Exploited Vulnerability catalog, giving federal agencies one day to apply patches when released, highlighting the severity of the situation.

What we’re doing about it

What you should do about it

Additional information

Microsoft has released emergency security patches addressing two critical vulnerabilities affecting on-premises SharePoint servers. The primary concern, CVE-2025-53770 (CVSS: 9.8), enables Remote Code Execution through untrusted data deserialization, while CVE-2025-53771 (CVSS: 6.3) represents a path traversal vulnerability allowing network-based spoofing by authorized attackers. These vulnerabilities are particularly significant as they bypass previous security fixes implemented in the July 2025 Patch Tuesday updates. Both the Canadian Centre for Cyber Security (CCCS) and U.S. CISA have issued urgent advisory warnings due to active exploitation in the wild.

The attack methodology demonstrates sophisticated exploitation techniques, beginning with crafted POST requests to "_layouts/15/ToolPane.aspx" with specific HTTP referrer manipulation. Upon successful exploitation, attackers deploy a malicious file ("spinstall0.aspx") and compromise the ASP.NET ViewState mechanism by extracting the server's MachineKey configuration. This enables attackers to generate valid but malicious __VIEWSTATE payloads using tools like ysoserial, potentially leading to full system compromise. Microsoft has released critical updates (KB5002754 for SharePoint Server 2019 and KB5002768 for SharePoint Subscription Edition), though SharePoint 2016 patches remain pending.

This is not the first time ASP.NET machine keys have been targeted by threat actors. In December 2024, the Microsoft Threat Intelligence team identified an attack where an unattributed threat actor was exploiting publicly available ASP.NET machine keys to perform ViewState code injection attacks. The attack involves using exposed ValidationKey and DecryptionKey values to craft malicious ViewState data that can be sent to websites via POST requests. When processed by ASP.NET Runtime, this allows for remote code execution on the target IIS web server. Since then, Microsoft has identified over 3,000 publicly disclosed keys that could be vulnerable to this type of attack. 

The ViewState code injection attack exploits ASP.NET's machine key system by leveraging exposed ValidationKey and DecryptionKey values. These keys, normally used for ViewState validation and encryption, can be compromised when developers inadvertently use publicly available keys from code repositories or documentation. Attackers can use these known keys to craft malicious ViewState payloads that, when sent via POST requests, are automatically trusted and processed by the ASP.NET Runtime since they contain valid cryptographic signatures.

Organizations are strongly advised to implement immediate mitigation measures, including applying available patches, implementing network isolation for unpatched systems, enhancing monitoring for suspicious POST requests, and deploying additional security controls such as AMSI integration and EDR. These actions should be prioritized due to SharePoint's critical role in business operations and its common exposure to external networks, making it an attractive target for initial network compromise attempts. Note that while on-premises installations are affected, SharePoint Online in Microsoft 365 remains secure against these vulnerabilities.

Indicators of Compromise (IOCs)
107.191.58[.]76 IP Address
104.238.159[.]149 IP Address
96.9.125[.]147 IP Address
103.186.30[.]186 IP Address
86.48.9[.]82 IP Address
139.199.202[.]205 IP Address
185.213.82[.]30 IP Address
154.47.29[.]4 IP Address
139.144.199[.]41 IP Address
89.46.223[.]88 IP Address
45.77.155[.]170 IP Address
95.179.158[.]42 IP Address
149.40.50[.]15 IP Address
154.223.19[.]106 IP Address
185.197.248[.]131 IP Address
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 User-Agent
/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx – POST path
Referer: /_layouts/SignOut.aspx
GET request to malicious ASPX file in /_layouts/15/spinstall0.aspx
HTTP Requests
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 SHA256
d50a7f142a53a8d2358137e74901e093e19047b66f42216163b91f26460d329b SHA256
8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2 SHA256
27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014 SHA256
b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93 SHA256
4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030 SHA256
FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7 SHA256
B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70 SHA256
390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E SHA256
66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082 SHA256
7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95 SHA256
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx File Path
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx File Path
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js File Path

References:

[1] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
[2] https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
[3] https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770
[4] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
[5] https://research.eye.security/sharepoint-under-siege/
[6] https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
[7] https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/
[8] https://nvd.nist.gov/vuln/detail/CVE-2025-53771
[9] https://nvd.nist.gov/vuln/detail/CVE-2025-49704
[10] https://nvd.nist.gov/vuln/detail/CVE-2025-49706
[11] https://github.com/microsoft/mstic/blob/master/RapidReleaseTI/MachineKeys.csv
[12] https://github.com/frohoff/ysoserial
[13] https://x.com/codewhitesec/status/1944743478350557232
[14] https://www.esentire.com/what-we-do/threat-response-unit/threat-intelligence-services
[15] https://github.com/soltanali0/CVE-2025-53770-Exploit
[16] https://github.com/kaizensecurity/CVE-2025-53770
[17] https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/
[18] https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
[19] https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/

View Most Recent Advisories