/ Cybersecurity / By

Summary of Microsoft SharePoint Zero-Day Vulnerability

6f3024ea 2bf0 436a b330 cc38d56e8ab4
A critical zero-day RCE chain dubbed ToolShell, tracked as CVE-2025-53770 (and accompanying spoof bypass CVE-2025-53771), has been actively exploited against on-premises Microsoft SharePoint servers since mid-July 2025. Organizations running SharePoint Server 2016, 2019, or Subscription Edition must apply Microsoft’s emergency security updates immediately and perform key rotation and forensic assessments to prevent persistent compromise.

Understanding Zero-Day Vulnerabilities

zero-day vulnerability is a software flaw unknown to the vendor or public until it’s discovered—often by attackers—meaning “zero days” elapsed to develop and distribute a patch. Zero-days are particularly dangerous when exploited in the wild, as organizations have no prior warning or defense. In July 2025, security researchers revealed a new SharePoint zero-day chain (“ToolShell”) combining an authentication bypass and an unsafe deserialization bug to achieve unauthenticated remote code execution (RCE).

Timeline and Technical Details

  • May 17, 2025: At Pwn2Own Berlin, Viettel Cyber Security demonstrated chaining CVE-2025-49706 (auth bypass) and CVE-2025-49704 (deserialization RCE), naming it “ToolShell.”
  • July 8, 2025: Microsoft patched those original flaws in Patch Tuesday updates, asserting no active exploitation.
  • July 14–17, 2025: Proof-of-concepts surfaced demonstrating bypasses of the July fixes.
  • July 19, 2025: Microsoft published advisories for CVE-2025-53770 (deserialization bypass, CVSS 9.8) and CVE-2025-53771 (spoofing bypass, CVSS 6.3), confirming active in-the-wild exploitation.
  • July 18–22, 2025: Multiple security vendors (Rapid7, Palo Alto/Unit 42, Check Point) reported widespread campaigns targeting on-premises SharePoint servers.

Exploit Chain (“ToolShell”)

  1. Attacker crafts a malicious POST to /_layouts/15/ToolPane.aspx, leveraging unsafe deserialization to execute embedded PowerShell.
  2. A web shell (spinstall0.aspx) is deployed to the server’s Layouts directory.
  3. Attacker sends a GET to steal ValidationKey and DecryptionKey.
  4. With stolen keys, the attacker forges signed ViewState payloads, achieving seamless, persistent RCE even after removing the web shell or patching the endpoint.

Impact and Scope

  • Active Exploitation: First observed July 18; tracked through aggressive campaigns against high-value targets (government, healthcare, finance, critical infrastructure) as early as July 17.
  • Servers Compromised: Reports vary from 29 organizations (Eye Security) to 75 servers (Times of India) to 8,000+ servers (Virtru claim), though clustering suggests 54–85 organizations impacted .
  • Geographic Spread: Compromises confirmed across North America, Western Europe, and beyond, with victims including federal agencies, universities, energy operators, AI and fintech firms.

Indicators of Compromise (IOCs)

IOC TypeDetails
Malicious Web Shellspinstall0.aspx deployed under …\TEMPLATE\LAYOUTS\spinstall0.aspx; SHA-256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 [Rapid7]
Suspicious RequestsPOST requests to /_layouts/*/ToolPane.aspx with referer /layouts/SignOut.aspx
Process Chainsw3wp.exe → cmd.exe → powershell.exe -EncodedCommand [Rapid7]
Known Malicious IPs107.191.58[.]76; 104.238.159[.]149; 96.9.125[.]147 [Rapid7]
Unusual User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0

Exploitation in Real Time

Multiple cybersecurity firms confirmed active exploitation preceding public advisories:

  • Rapid7: Observed aggressive RCE campaigns and issued detection rules for process chains and HTTP anomalies [Rapid7].
  • BleepingComputer/Eye Security: Reported at least 85 compromised servers clustered into 54 organizations, first seen July 18 via EDR alerts on malicious .aspx execution.
  • SentinelOne: Identified three distinct attack clusters targeting strategic sectors beginning July 17, before Microsoft advisories were published

Affected Versions

Only on-premises SharePoint servers are impacted. SharePoint Online (Microsoft 365) is not affected. Impacted editions include:

  • SharePoint Server 2016 Enterprise
  • SharePoint Server 2019
  • SharePoint Server Subscription Edition

Patching and Mitigations

Microsoft released emergency cumulative security updates on July 19–21:

ProductSecurity Update (KB)
SharePoint Server Subscription EditionKB5002768
SharePoint Server 2019 CoreKB5002754
SharePoint Server 2019 Language PackKB5002753
SharePoint Enterprise Server 2016 CoreKB5002760
SharePoint Enterprise Server 2016 Language PackKB5002759

Mitigation Steps:

  1. Apply Updates Immediately: Deploy the above KBs on all affected servers without waiting for the next Patch Tuesday.
  2. Rotate Cryptographic Keys: After patching, rotate ASP.NET ValidationKey and DecryptionKey to invalidate stolen secrets [Rapid7]
  3. Isolate Internet-Facing Servers: Temporarily disconnect vulnerable servers until patched.
  4. Enable AMSI & Defender AV: Integrate Anti-Malware Scan Interface and deploy Microsoft Defender to detect post-exploit activities.
  5. Conduct Forensic Review: Perform a full compromise assessment; check for spinstall0.aspx, anomalous PowerShell activity, and unauthorized credential/secret harvesting.
  6. Implement Network Segmentation: Limit SharePoint access via VPN or private access controls to reduce exposure.

Conclusion

The ToolShell zero-day chain enabling RCE in on-premises SharePoint servers represents a critical, actively exploited threat with severe persistence capabilities. Rapid, coordinated remediation—including emergency patching, key rotation, and thorough incident response—is essential to prevent longstanding compromise. Organizations should also revisit in-house vs. cloud strategies and reinforce secure configuration practices for legacy on-premises systems to mitigate future zero-day risks.