Custom Software Development and Consulting

Microsoft SharePoint Vulnerability CVE‑2025‑53770: Zero‑Day Exploit Risks & Mitigation

by

Zaki Technology
in

Microsoft has confirmed a critical, unpatched zero‑day vulnerability in on‑premises SharePoint Server—tracked as CVE‑2025‑53770—that is being actively exploited in the wild. Over the weekend of July 19–20, 2025, dozens of organizations—including U.S. federal and state agencies, universities, energy firms, and major corporations—reported breaches that leveraged this flaw to execute code remotely without any authentication(The Times of India)(The Washington Post).

What Is CVE‑2025‑53770?

CVE‑2025‑53770 is an unauthenticated remote code execution (RCE) vulnerability rooted in the deserialization of untrusted data within on‑premises Microsoft SharePoint Server. In essence, a specially crafted HTTP request bypasses normal security checks, causing SharePoint to deserialize malicious payloads and execute arbitrary code under the context of the SharePoint service account—without requiring valid credentials. The National Vulnerability Database assigns this issue a CVSS v3.1 score of 9.8 (Critical), reflecting its potential for complete server takeover.

How Was the Flaw Discovered?

The vulnerability was first demonstrated publicly at the Pwn2Own Berlin 2025 hacking contest in May 2025, where researchers chained two earlier SharePoint bugs (CVE‑2025‑49704 and CVE‑2025‑49706) into an exploit dubbed “ToolShell.” Those bugs were patched on July 9, but researchers and attackers soon identified a tweak—spoofing the HTTP Referer header to /_layouts/SignOut.aspx—that re‑enabled the exploit path and was assigned CVE‑2025‑53770 a week later(The Verge). On July 18, Dutch firm Eye Security detected large‑scale attacks, finding a stealthy web shell planted on at least 75 public‑facing SharePoint servers within hours(The Verge).

Who Is at Risk?

Only on‑premises SharePoint Server installations are affected—SharePoint Online (Microsoft 365) remains safe. Vulnerable versions include:

  • SharePoint Server 2019
  • SharePoint Server Subscription Edition
  • (Pending patch) SharePoint Server 2016

Any organization exposing these servers to untrusted networks—especially over the internet—is at immediate risk. Researchers estimate that over 9,300 SharePoint IPs are publicly accessible, though not all are necessarily vulnerable; at least 75 confirmed breaches have occurred in government, education, and energy sectors so far(The Times of India).

Potential Impact and Risks

Because CVE‑2025‑53770 requires no authentication, an attacker can:

  • Take full control of the SharePoint server and underlying Windows host, installing malware or stealing data at will(Axios)
  • Exfiltrate sensitive documents and collaboration data stored within SharePoint sites, including internal memos, financial reports, or intellectual property(The Washington Post)
  • Steal cryptographic machine keys (ValidationKey/DecryptionKey), enabling forged authentication tokens and persistent backdoor access even after reboot or patching
  • Move laterally into corporate networks by leveraging stolen credentials or exploiting integrations with Active Directory, Teams, OneDrive, and Outlook services

In several observed attacks, threat actors deployed a web shell (spinstall0.aspx) that siphoned machine keys and maintained stealthy access. Even after applying the July Patch Tuesday updates, compromised servers remained vulnerable to reinfection unless keys were rotated and proper defenses enabled.

Microsoft’s Response and Patch Status

On July 19, 2025, Microsoft published an advisory acknowledging active zero‑day exploitation of CVE‑2025‑53770 and confirmed that SharePoint Online is unaffected. The company released out‑of‑band emergency patches on July 20 for SharePoint Server 2019 and Subscription Edition, closing both CVE‑2025‑53770 and a related spoofing flaw (CVE‑2025‑53771). A patch for SharePoint Server 2016 is “in final testing” and expected imminently.

Microsoft credits Viettel Cyber Security and Trend Micro’s Zero Day Initiative for responsibly disclosing the underlying deserialization issues, and urges all on‑premises customers to apply updates immediately while monitoring the MSRC advisory for any new developments.

Immediate Mitigations

While deploying patches is the top priority, administrators should bolster defenses through multiple layers:

  1. Enable AMSI Integration: Ensure the Antimalware Scan Interface is active on all SharePoint servers to scan scripts and payloads before execution. With AMSI enabled and up‑to‑date antivirus (e.g., Microsoft Defender), the known exploit chain is blocked at runtime.
  2. Rotate ASP.NET Machine Keys: After patching, generate new ValidationKey and DecryptionKey values via PowerShell or Central Administration. This step invalidates any stolen keys and prevents forged authentication tokens from working.
  3. Inspect for Web Shells and IoCs: Look for suspicious .aspx files such as spinstall0.aspx in SharePoint directories, and review IIS logs for HTTP requests to /_layouts/15/ToolPane.aspx with Referer: /_layouts/SignOut.aspx—a hallmark of the exploit .
  4. Restrict Internet Exposure: If patching is delayed, temporarily remove SharePoint servers from internet‑facing networks or firewall them to trusted IP ranges only. Disconnected servers cannot be exploited remotely.
  5. Deploy Endpoint Detection and Response (EDR): Use tools like Microsoft Defender for Endpoint to catch post‑exploitation behavior—unexpected PowerShell commands, suspicious network connections, or local privilege escalations.

Best Practices for Ongoing Protection

  • Keep SharePoint Updated: Subscribe to Microsoft’s security notifications and apply patches within 24 hours of release.
  • Harden Configuration: Disable unused features, enforce least‑privilege service accounts, and audit SharePoint add‑ons or custom code.
  • Monitor Continuously: Implement SIEM rules to alert on anomalous SharePoint activity, such as file uploads to layout directories or unusual account logins.
  • Conduct Regular Pen Tests: Engage in vulnerability assessments and simulated attacks to uncover gaps before adversaries do.

Conclusion

The CVE‑2025‑53770 zero‑day vulnerability underscores how rapidly adversaries can weaponize even recently patched bugs. With critical severity and unauthenticated access, SharePoint servers worldwide face significant danger. Organizations running on‑premises SharePoint must treat this incident as an emergency: apply Microsoft’s July 20 patch, enable AMSI, rotate machine keys, and conduct thorough threat hunts for web shells. By acting swiftly and adopting a layered defense strategy, IT teams can neutralize this threat and safeguard their collaboration infrastructure against future attacks.