Table of Contents

    About the Author

    Connor Jackson

    Connor Jackson

    Connor Jackson is a Security Research Manager at CyberMaxx, with a background in forensics, reverse engineering, and threat-hunting. Check out Connor's LinkedIn

    More Articles

    Additional Resources:

    Ransomware Research Report | Q2 2025 – Audio Blog Interview

    Ransomware Research Report | Q2 2025 – Audio Blog Interview

    Interviews

    4 min read

    Tales from the SOC CISO Perspective: Key Takeaways from A Thumb Drive and a Criminal Investigation

    Tales from the SOC CISO Perspective: Key Takeaways from A Thumb Drive and a Criminal Investigation

    Tales from the SOC

    3 min read

    On July 19, 2025, Microsoft confirmed active exploitation of a critical vulnerability in SharePoint Server, now tracked as CVE-2025-53770. This zero-day flaw, dubbed “ToolShell” by researchers, allows attackers to execute arbitrary code remotely without authentication and to maintain long-term persistence by stealing cryptographic keys.

    SharePoint is a widely used collaboration platform, and this vulnerability targets core components in the SharePoint web interface. As of July 21, emergency patches have been released for SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. If your environment includes on-prem SharePoint servers, you should treat this vulnerability as a priority.

    What Is CVE-2025-53770?

    CVE-2025-53770 is a remote code execution (RCE) vulnerability in Microsoft SharePoint Server. It allows attackers to send specially crafted HTTP POST requests to vulnerable endpoints like ToolPane.aspx, which is normally used to manage web part settings. By exploiting weaknesses in how SharePoint parses ViewState data and session tokens, attackers can execute arbitrary code on the server.

    This exploit does not require prior authentication. A successful attack gives the adversary the ability to upload files, run PowerShell commands, steal cryptographic secrets, or establish persistent access to the server.

    In many observed cases, the attackers drop a malicious web shell called spinstall0.aspx inside SharePoint’s \LAYOUTS\ directory. This shell is then used to steal the server’s machine keys – the cryptographic values that secure cookies, authentication tokens, and ViewState.

    What Can an Attacker Do?

    Once CVE-2025-53770 is exploited successfully, an attacker can:

    • Upload a web shell to the SharePoint server
    • Steal ASP.NET machine keys used for signing and decrypting ViewState and authentication tokens
    • Execute arbitrary code as the SharePoint worker process (w3wp.exe)
    • Bypass authentication mechanisms using forged ViewState data
    • Persist access even after the web shell is removed, by reusing stolen machine keys
    • Move laterally to other systems in the environment

    Because this vulnerability can be exploited without user interaction, it is particularly dangerous in environments with internet-facing SharePoint servers.

    Mitigations

    1. Apply the Official Microsoft Patch

    Microsoft has released out-of-band patches for the following editions:

    • SharePoint Subscription Edition – KB5002768
    • SharePoint Server 2019 – KB5002754
    • SharePoint Server 2016 – KB5002745

    You should install the patch immediately, even if you have already applied earlier July updates. The new patch contains stronger protections and also includes previous fixes like CVE-2025-49704 and CVE-2025-49706.

    2. Rotate ASP.NET Machine Keys

    After applying the patch, it is essential to rotate the machine keys found in SharePoint’s web.config files. These are typically located under:

    C:\inetpub\wwwroot\wss\VirtualDirectories\[port]\web.config

    Generate new validationKey and decryptionKey values, update the config, and restart IIS:

    iisreset

    This step ensures that any stolen keys can no longer be used to forge tokens or ViewState data.

    3. Enable AMSI and Defender Antivirus

    Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration for SharePoint and running Microsoft Defender Antivirus in active mode. These tools help detect and block ViewState payloads and other malicious scripts.

    Indicators and Threat Hunting

    If you suspect compromise or want to validate that no exploitation occurred, look for the following indicators of compromise (IOCs).

    Network Requests

    Look for POST requests to:

    • /_layouts/15/ToolPane.aspx?DisplayMode=Edit

    Known IPs

    • 107.191.58[.]76
    • 104.238.159[.]149
    • 96.9.125[.]147

    File Artifacts

    • Presence of spinstall0.aspx under:

    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\

    • Any newly created .aspx files in the \LAYOUTS\ directory

    IIS Log Patterns

    • POST requests to /sites/*/_layouts/15/ToolPane.aspx
    • Suspicious Referer headers like /sites/*/_layouts/SignOut.aspx
    • GET requests to spinstall0.aspx with long Base64 parameters

    Process Tree Anomalies

    · w3wp.exe spawning powershell.exe, cmd.exe, or unusual child processes

    Conclusion

    CVE-2025-53770 is a serious and actively exploited vulnerability that affects all modern on-prem SharePoint deployments. Even if your servers are not publicly accessible, an attacker with internal access could exploit this flaw to gain full control.

    Apply the latest patches from Microsoft, rotate your machine keys, and carefully review your logs for signs of compromise. If you detect any suspicious activity, consider isolating affected systems and initiating a full incident response. Consult your security provider for further information on incident response.

    The CyberMaxx team are continuing to monitor for changes and will provide further information as it becomes available.

    Further Reading

    https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/