Summary

A critical zero-day vulnerability (now assigned CVE-2025-53770) has been identified in Microsoft SharePoint Server, affecting multiple on-premises versions.

The flaw allows unauthenticated remote code execution through a deserialization vulnerability in the ToolPane interface.

Attackers are currently exploiting the bug in the wild as part of a broader campaign targeting enterprise and government infrastructure.

This issue is a variant of the ToolShell exploit chain (CVE-2025-49706 and CVE-2025-49704), bypassing prior patches released in July 2025. It is currently being used to deploy web shells, extract MachineKey secrets, and maintain persistent access on compromised systems.

CVE ID: CVE-2025-53770

Severity: Critical (CVSS 9.8)

Status: Actively Exploited

Type: Unauthenticated Remote Code Execution via Deserialization

Affected Product: Microsoft SharePoint Server (on-premises)

Affected Sytems

The following Microsoft SharePoint on-premises versions are impacted:

• SharePoint Server 2016 builds earlier than 16.0.5508.1000 (KB5002760)

• SharePoint Server 2019 builds earlier than 16.0.10417.20027 (KB5002754)

• SharePoint Server Subscription Edition (SE) builds earlier than 16.0.18526.20424 (KB5002768)

Technical Details

CVE-2025-53770 is a .NET deserialization vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution. The flaw lies in the improper handling of serialized data sent to the /_layouts/15/ToolPane.aspx endpoint when accessed with a specially crafted HTTP request.

By sending a malicious HTTP POST request to this endpoint with a Referer header set to /_layouts/SignOut.aspx the attacker can trigger vulnerable server-side logic that deserializes untrusted input.

The attacker injects a malformed .NET serialized object (typically crafted using tools like ysoserial.net) into the request body.

When this payload is deserialized by SharePoint’s backend components, it results in arbitrary code execution in the context of the SharePoint service account.

This vulnerability is a variant of the ToolShell exploit chain (CVE-2025-49704 and CVE-2025-49706), and it effectively bypasses Microsoft’s July 2025 security patches by exploiting a different logical path involving SignOut.aspx as a misleading referer.

Post-exploitation, attackers are observed:

• Deploying web shells like spinstall0.aspx

• Extracting ASP.NET MachineKey secrets, enabling long term persistence or facilitating access resale (access brokerage).

Indicators of Compromise (IOCs)

File-based IOCs:

• Presence of spinstall0.aspx in “\TEMPLATE\LAYOUTS\”

• Unexpected .aspx or .ashx files in SharePoint virtual directories

Log-based IOCs:

• POST requests to: /_layouts/15/ToolPane.aspx?DisplayMode=Edit with Referer: /_layouts/SignOut.aspx

Known Malicious IP Addresses:

• 107.191.58[.]76

• 104.238.159[.]149

• 96.9.125[.]147

Defender AV/EDR Alerts:

• Exploit:Script/SuspSignoutReq.A

• Trojan:Win32/HijackSharePointServer.A

• Possible web shell installation

• Possible exploitation of SharePoint server vulnerabilities

• Suspicious IIS worker process behavior

• ‘SuspSignoutReq’ malware was blocked on a SharePoint server

• ‘HijackSharePointServer’ malware was blocked on a SharePoint server

Vulnerability Detection

The vulnerability can be identified with the following vulnerability scanners modules:

• Qualys QID: 110501

• Nessus Plugin ID: 242415

Mitigation & Recommendations

1. Apply Emergency Security Updates

Microsoft has released out-of-band patches:

• SharePoint Server Subscription Edition: KB5002768

• SharePoint Server 2019: KB5002754

• SharePoint Server 2016: KB5002760

2. Enable/Verify AMSI & Defender Antivirus

• Ensure that Antimalware Scan Interface (AMSI) is turned on.

• Ensure an appropriate AV/EDR solution is deployed and running correctly.

3. Rotate ASP.NET MachineKeys

A guide published by Microsoft on rotating ASP.NET MachineKeys is available here: Improved ASP.NET view state security and key management – SharePoint Server | Microsoft Learn

4. Incident Detection and Response

• Review IIS and ULS logs for activity matching above IOCs

• Hunt for newly created files or suspicious modules loaded by the w3wp.exe process.

[UPDATE] – Proof-of-Concept (PoC) Released

A proof-of-concept (PoC) for CVE-2025-53770 is now publicly available, increasing the risk of widespread exploitation.

Indicators of compromise may be broader than those observed in the initial wave of attacks. Security teams should expand detection criteria and review historical telemetry for additional signs of compromise, including unusual child processes spawned by w3wp.exe, suspicious modules loaded and unkown dropped files.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is required to mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring. Organizations should prioritize these measures to safeguard their edge devices against potential threats.

References

• SharePoint Under Siege: ToolShell Mass Exploitation (CVE-2025-53770)

• Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog  | Microsoft Security Response Center

• Persistent Exploitation of ASP.NET Components Fuels Remote Code Execution Attacks – Kudelski Security Research

‍