Home

Published

- 6 min read

Critical SharePoint Zero-Day Under Attack: Action Plan for CVE-2025-53770

By William OGOU
SharePoint Zero-Day CVE-2025-53770 RCE ToolShell SecOps Vulnerability Management
img of Critical SharePoint Zero-Day Under Attack: Action Plan for CVE-2025-53770

The security landscape is in high alert as a critical, actively exploited zero-day vulnerability in Microsoft SharePoint Server is being used in a sophisticated, fast-moving campaign dubbed “ToolShell.” Tracked as CVE-2025-53770, this flaw is a severe Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8, and it’s being chained with a second vulnerability, CVE-2025-53771 (a spoofing flaw), to achieve full system compromise on unpatched servers.

This is not a theoretical threat. According to extensive reporting from multiple security firms including Check Point, Bitdefender, and Mandiant, threat actors have been exploiting this vulnerability since at least July 7, 2025. They are actively targeting government, telecommunications, and software sectors across North America and Western Europe.

This is the CISO and SecOps guide to understanding the “ToolShell” threat, identifying your exposure, and executing an immediate, three-pronged action plan: Patch, Harden, and Hunt.

The Threat: What is the “ToolShell” Campaign?

The “ToolShell” campaign is a masterclass in attacker agility. The story begins in May at the Pwn2Own hacking contest, where researchers first demonstrated the original “ToolShell” exploit chain (CVE-2025-49704 and CVE-2025-49706). Microsoft dutifully patched these flaws in the July 2025 Patch Tuesday update.

However, attackers quickly reverse-engineered the patches and discovered two new vulnerabilities that bypass the original fixes. These are:

  • CVE-2025-53770 (CVSS 9.8): A critical RCE vulnerability that exploits a weakness in how SharePoint Server handles the deserialization of untrusted data, allowing for unauthenticated remote code execution.
  • CVE-2025-53771 (CVSS 6.5): A server spoofing vulnerability.

The attackers’ goal is not just to gain initial access. They are using this RCE to deploy a specialized webshell, spinstallo.aspx, a utility focused on reconnaissance and persistence. This webshell is designed to extract the host’s cryptographic MachineKey values, including the ValidationKey and DecryptionKey.

With these keys, an attacker can craft and sign malicious __VIEWSTATE payloads, forge authentication tokens, and maintain persistent, authenticated access across load-balanced SharePoint environments, even after the initial vulnerability is patched. This is a full system compromise, turning a SharePoint server into a persistent beachhead for lateral movement.

Are You Affected? The Checklist

This vulnerability impacts a wide range of currently supported on-premises SharePoint Server versions. You are at risk if you are running:

  • Microsoft SharePoint Server 2016 (Patch is still pending from Microsoft)
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition

According to Censys data, there are over 9,700 on-premises SharePoint servers currently exposed online, representing a massive and lucrative target for these threat actors. SharePoint Online is not affected by this specific vulnerability.

The CISO’s Action Plan: Patch, Harden, Hunt

Your team must execute the following plan with urgency.

Part 1: PATCH NOW (The Emergency Fix)

Microsoft has released emergency, out-of-band security updates to address these vulnerabilities. This is your most critical and effective action.

For Microsoft SharePoint Server 2019:

  • Install update KB5002754.

For Microsoft SharePoint Subscription Edition:

  • Install update KB5002768.

CRITICAL WARNING for SharePoint 2016 Users: As of this writing, Microsoft is still working on the patches for SharePoint Enterprise Server 2016. If you are running this version, you are currently unprotected by a patch and must proceed immediately to the “Harden” and “Hunt” phases of this plan and be on high alert for the forthcoming update.

Part 2: HARDEN (Post-Patch Essentials)

Simply installing the patch is not enough. Microsoft explicitly urges all administrators to perform additional hardening steps to invalidate any credentials that may have been stolen before the patch was applied.

Action: Rotate SharePoint Machine Keys

This step is mandatory. Rotating the keys ensures that any previously stolen ValidationKey or DecryptionKey material becomes useless to the attackers.

Method 1: PowerShell (Recommended)

  • Execute the Update-SPMachineKey cmdlet on your SharePoint servers.

Method 2: Central Administration (GUI)

  • Navigate to your SharePoint Central Administration site.
  • Go to Monitoring -> Review job definition.
  • Find and select the job named Machine Key Rotation Job, then click Run Now.

Crucially, after the job completes, you must restart IIS on all SharePoint servers in the farm. This can be done from an administrative command prompt with iisreset.exe.

Part 3: HUNT (Find Signs of Compromise)

Because this vulnerability was exploited as a zero-day, you must assume that you may have already been compromised. It is essential to hunt for indicators of compromise (IOCs).

Action: Scan for the spinstallo.aspx Webshell

The primary indicator of a successful “ToolShell” exploitation is the creation of a malicious .aspx file.

File Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstallo.aspx

Microsoft 365 Defender Query: Microsoft has provided a specific Kusto Query Language (KQL) query to hunt for this file. Run this in your advanced hunting console to search for its creation across your devices:

   DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstallo.aspx" or FileName has "spinstallo"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

Action: Analyze IIS Logs

Search your IIS logs for a POST request with the following specific characteristics, which indicate an attempt to use the malicious file:

   URL: /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx

HTTP Referer: /_layouts/SignOut.aspx

If you find evidence of either the file or the suspicious log entry, you must assume a full system compromise and immediately trigger your incident response process. Isolate the server, begin a full forensic investigation, and hunt for lateral movement across your network.

Conclusion

The “ToolShell” campaign and its exploitation of CVE-2025-53770 represent a clear and present danger to thousands of organizations worldwide. This is a sophisticated and agile threat, leveraging a bypass of previous patches to achieve deep, persistent access.

The playbook for defenders is clear and has no room for delay: Patch your 2019 and Subscription Edition servers immediately. Harden all patched servers by rotating the machine keys. And Hunt across your entire environment for the specific indicators of compromise associated with this attack. In the face of an active, evolving zero-day threat, decisive action is the only viable course.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].

CVE-2025-53770 & “ToolShell” FAQ

  • What is the “ToolShell” campaign? “ToolShell” is an active attack campaign that uses a chain of vulnerabilities, primarily the zero-day RCE CVE-2025-53770, to compromise on-premises Microsoft SharePoint servers.
  • What is the attacker’s main goal? The attacker’s primary objective is to deploy a webshell (spinstallo.aspx) to steal the server’s cryptographic machine keys. These keys allow them to forge authentication tokens and maintain long-term persistent access to the environment.
  • Is SharePoint 2016 affected? Yes, but Microsoft has not yet released the emergency patch for SharePoint 2016. Administrators of this version must be on high alert and rely on hunting for IOCs and other compensating controls until a patch is available.
  • Is rotating the machine keys really necessary after patching? Yes, it is a mandatory step. The patch prevents future exploitation, but it does not invalidate keys that may have already been stolen. Rotating the keys is the only way to ensure that any compromised credentials become useless.
  • How is CVE-2025-53770 different from the vulnerabilities patched in the July Patch Tuesday? CVE-2025-53770 and CVE-2025-53771 are considered bypasses or variants of the original “ToolShell” flaws (CVE-2025-49704 and CVE-2025-49706). The attackers analyzed the initial patches and found a new way to achieve the same objective, which is why Microsoft had to release these new, more robust emergency updates.

Relevant Resource List

  • Bleeping Computer: “Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks”
  • The Hacker News: “Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access”
  • Microsoft Security Response Center (MSRC) Guidance: msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

MSRC Vulnerability Guides:

CVE-2025-53770: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

CVE-2025-53771: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771