Critical SharePoint RCE (CVE-2025-53770) • William OGOU Cybersecurity Blog

A critical, actively exploited zero-day vulnerability has been discovered in Microsoft SharePoint Server, and security teams need to act immediately. Tracked as CVE-2025-53770, this flaw is a Remote Code Execution (RCE) vulnerability with a CVSS score of 9.9 (Critical).

What makes this particularly dangerous is that it allows an authenticated attacker with relatively low-level permissions to achieve a full system compromise, executing arbitrary code with the high privileges of the SharePoint server farm account.

This isn’t a theoretical threat. According to reports, CVE-2025-53770 is already being exploited in the wild.

What is CVE-2025-53770? The Plain English Explanation

In simple terms, CVE-2025-53770 is an OS command injection vulnerability in a common SharePoint JavaScript component called Doc.View.js. It allows an attacker who is authenticated to your SharePoint environment and has permissions to create pages and sites to craft a malicious SharePoint page. When this page is processed by the server, the flaw allows the attacker to inject and execute commands directly on the underlying operating system.

The result is a complete server takeover. The attacker can steal data, install backdoors like web shells, disable security controls, and use the compromised SharePoint server as a beachhead to move laterally across your network.

The Attack Path: How a Low-Privilege User Gets the Keys to the Kingdom

The elegance and danger of this attack lie in its simplicity and its abuse of a seemingly benign permission set.

Initial Access: The attacker needs valid credentials to an account in your SharePoint environment. This can be any user, not necessarily an administrator.
Required Permissions: The authenticated attacker needs permissions for “Page and Site Creation.” In many organizations, these permissions are granted to a wide range of users to facilitate collaboration, making this a commonly available entry point.
Exploitation: The attacker uses their permissions to create a new, specially crafted page on the SharePoint site.
Command Injection: This malicious page contains a payload that targets the vulnerability in the Doc.View.js component, allowing the attacker to inject OS commands.
Execution and Compromise: The SharePoint server processes the page and executes the injected command with the privileges of the SharePoint application pool and the server farm account—often a highly privileged account in Active Directory.

This is the nightmare scenario for any security team: a low-privilege user leveraging a common feature to achieve a silent, full-system takeover.

Are You Affected? The Checklist

This vulnerability impacts a wide range of currently supported SharePoint Server versions. You are at risk if you are running:

Microsoft SharePoint Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition

SharePoint Online is not affected by this specific vulnerability.

The Action Plan: Mitigation and Remediation

Your team needs to take immediate action. Here is a clear, prioritized plan.

The Two-Phase Action Plan: Patching and Post-Patch Verification

Given the active, in-the-wild exploitation of the “ToolShell” zero-day vulnerabilities, Microsoft has taken the rare step of releasing emergency, out-of-band security updates. This underscores the severity of the threat. For SecOps teams, the response must be equally swift and methodical. The plan involves two critical phases: immediate patching to close the vulnerability and post-patch actions to harden the environment and hunt for any signs of prior compromise.

Phase 1: Deploy the Emergency Patches (Immediate Priority)

The primary and most effective solution is to deploy the security updates released by Microsoft. These updates provide robust protections that supersede the initial fixes from the July Patch Tuesday, which threat actors were able to bypass.

Action: Install the following security updates immediately based on your SharePoint version:

For Microsoft SharePoint Server 2019:
- Install update KB5002754.
For Microsoft SharePoint Subscription Edition:
- Install update KB5002768.

Critical Note for SharePoint 2016 Users: As of the release of these emergency updates, Microsoft is still working on the patches for SharePoint Enterprise Server 2016. Teams managing this version must be on high alert and prepare for immediate deployment once the update becomes available.

Phase 2: Post-Patch Hardening and Hunting for Compromise

Installing the patch is the first step, but it is not the last. Due to the nature of the vulnerability, Microsoft explicitly urges all administrators to perform additional hardening and verification steps after the updates are installed.

Step 2.1: Rotate SharePoint Machine Keys

To invalidate any keys that may have been compromised during an attack, you must rotate the SharePoint machine keys. This can be done via two methods:

Via PowerShell (Recommended): Use the Update-SPMachineKey cmdlet. This is the most direct method.
Via Central Administration (GUI):
1. Navigate to your SharePoint Central Administration site.
2. Go to Monitoring -> Review job definition.
3. Find the job named Machine Key Rotation Job and select Run Now.
4. After the job completes, you must restart IIS on all SharePoint servers in the farm by running iisreset.exe from an administrative command prompt.

Step 2.2: Hunt for Indicators of Compromise (IOCs)

Because these flaws were exploited as zero-days, it is crucial to analyze your logs and file systems for evidence of exploitation before you patched.

Check for Malicious File Creation: The attack creates a specific .aspx file in a SharePoint layouts directory. Look for the existence of the following file: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstallo.aspx
Analyze IIS Logs: Search your IIS logs for a POST request with the following specific characteristics, which indicate an attempt to use the malicious file:
- URL: _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
- HTTP Referer: _layouts/SignOut.aspx

2. Temporary Mitigation

If you have a legitimate business reason that prevents immediate patching (e.g., change control windows, operational dependencies), Microsoft has provided a temporary mitigation.

Rotate ASP.NET MachineKey values (ValidationKey and DecryptionKey) on all SharePoint servers.

After rotating keys, restart IIS services to apply the changes.
Enable AMSI integration and ensure Defender Antivirus is installed and up to date.
Use Microsoft Defender for Endpoint or a similar EDR tool for endpoint visibility.
If AMSI can’t be enabled, disconnect affected servers from the internet.
Disable __VIEWSTATE wherever it’s not required for application functionality.
Inspect SharePoint server directories for suspicious .aspx files or unknown scripts.
Review logs for unusual HTTP requests, especially targeting /ToolPane.aspx.
Launch a full incident response, including identity access reviews and detection of lateral movement

This should only be done with a full understanding of the operational impact and with a clear, imminent plan to patch and re-enable the feature.

3. Detection and Hunting: Finding Signs of Compromise

Whether you’ve patched or not, it’s crucial to hunt for signs of potential compromise.

Monitor Page and Site Creation: Scrutinize audit logs for any unusual or unexpected page/site creation events, especially by users who do not typically perform these actions.
Watch for Anomalous Processes: Monitor your SharePoint servers for anomalous child processes being spawned by the SharePoint process (w3wp.exe for IIS). The appearance of processes like cmd.exe, powershell.exe, or any unusual binaries is a major red flag.
Review Network Traffic: Look for unexpected outbound network connections from your SharePoint servers, which could indicate a C2 channel for a web shell or backdoor.
Leverage Vulnerability Scanning: Use vulnerability management tools that have detection plugins for CVE-2025-53770 to continuously scan your environment and confirm that your patches have been successfully applied.

Conclusion: Act Now, Before You’re a Headline

CVE-2025-53770 is a perfect storm: a critical RCE, active zero-day exploitation, and a common, low-privilege entry point. It’s a stark reminder that even well-established, internal-facing applications like SharePoint can present a massive risk if not diligently maintained and monitored.

Hunt for signs of compromise in your logs and process activity. In the current threat landscape, there is no room for delay.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].

CVE-2025-53770 FAQ for SecOps

What is CVE-2025-53770? It is a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server that allows an authenticated attacker with page creation permissions to take over the server.
Is this vulnerability being exploited in the wild? Yes. Multiple sources confirm that CVE-2025-53770 is being actively exploited as a zero-day vulnerability.
Does an attacker need to be an administrator to exploit it? No. This is what makes it so dangerous. An attacker only needs to be an authenticated user with permissions to create pages and sites, which are commonly assigned in many organizations.
What is the immediate fix? The only permanent fix is to install the security patches released by Microsoft for your version of SharePoint Server as soon as possible.
What if I can’t patch immediately? Microsoft has provided a temporary mitigation: disabling the “SharePoint Server Publishing Infrastructure” feature. However, this will cause a significant loss of functionality and should only be used as a short-term measure while you prepare to patch.

Relevant Resource List

Microsoft Security Response Center (MSRC): “Customer Guidance for SharePoint Vulnerability CVE-2025-53770”
The Hacker News: “Critical Microsoft SharePoint Flaw Under Active Exploitation - Patch Immediately”
Wiz Vulnerability Database: “CVE-2025-53770”
SOCRadar : https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
NVD: “CVE-2025-53770 Detail”