In-The-Wild Exploitation of CVE-2025-53770 and CVE-2025-53771: Technical Details and Mitigation Strategies

Two critical zero-day vulnerabilities in the Microsoft SharePoint Server environment, CVE-2025-53770 (9.8 CVSS score) and CVE-2025-53771 (6.5 CVSS score), are being actively exploited by threat actors to compromise vulnerable on-premises SharePoint servers.

The two new vulnerabilities are part of a complex attack chain dubbed “ToolShell”, which grants threat actors access to unpatched SharePoint servers’ content and the ability to execute code over the network. It’s important to note that these vulnerabilities only affect vulnerable on-premises instances of Microsoft SharePoint Server 2016, 2019, and Subscription Edition and do not affect SharePoint Online.

CVE-2025-53770 and CVE-2025-53771 are evolved iterations of two vulnerabilities, CVE-2025-49704 (a remote code execution or RCE vulnerability) and CVE-2025-49706 (a network spoofing vulnerability), which were disclosed during the Pwn2Own event held in Berlin last year. Microsoft has released patches for the original vulnerabilities in its July 2025 Security Updates, however, further exploitation of the vulnerabilities precipitated the release of more comprehensive fixes.

In its threat intelligence blog published on July 22, Microsoft shared that it has observed two China-based nation-state actors exploiting the pair of vulnerabilities to compromise internet-connected SharePoint servers, namely Linen Typhoon and Violet Typhoon. The company also observed Storm-2603, another threat actor based in China, exploiting the vulnerabilities.

Microsoft is currently investigating other threat actors abusing these bugs and believes they will continue to be integrated into more SharePoint attacks. According to the Washington Post, the vulnerabilities are being used in attacks targeting government agencies, universities, energy companies, and an Asian telecommunications company.

Technical Details

The ToolShell attack chain involves the following vulnerabilities:

• CVE-2025-49704: A vulnerability in the generation of dynamic code, which may allow RCE when improperly validated.
• CVE-2025-49706: An authentication-related flaw that can enable spoofing of user identity or role.
• CVE-2025-53770: A deserialization vulnerability allowing unauthenticated RCE through manipulated ViewState
• CVE-2025-53771: A path traversal vulnerability that permits the attacker to place files outside of restricted directories.

It should be noted that depending on a SharePoint environment’s configuration and its level of exposure, these vulnerabilities can be exploited independently or in combination with one another. These SharePoint vulnerabilities impact legacy components relying on ASP.NET ViewState for server-side state management.

Threat actors look for endpoints that process ViewState and allow unauthenticated access in vulnerable deployments. Based on reports, specific paths have been observed in application pages under /layouts/, which are accessible without user validation. Threat actors create malformed POST requests to add encoded ViewState payloads in the __VIEWSTATE parameter, which are often signed using keys retrieved from memory or misconfigured files.

During page rendering, deserialization is triggered, and .NET gadget chains built using known techniques. ViewState payloads then invoke cmd.exe or powershell.exe with encoded instructions.

When deserialization is successful, a malicious ASPX web shell (spinstall0.aspx) is uploaded to the server that is typically reserved for shared components. This web shell allows malicious actors to gain persistent access to the environment via HTTP and perform RCE by generating malicious ViewState tokens that SharePoint accepts as legitimate. It also supports credential theft by extracting the server’s MachineKey configuration, including critical cryptographic secrets such as ValidationKey and DecryptionKey.

Threat actors have also been observed modifying scheduled jobs and creating privileged service accounts in some affected environments.

Mitigation

Organizations with on-premises Microsoft Server environments should adopt the following mitigation measures to prevent operational disruptions and keep their systems secure:

• Immediate Patching: Apply the security updates released by Microsoft for affected SharePoint Server versions. Prioritize patching all SharePoint environments, including test, development, and production servers. Customers using SharePoint Subscription Edition should apply the security update provided in KB5002768 to mitigate the vulnerability.
  • Customers using SharePoint Server Subscription should install the latest update.
    • Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768)
  • Customers using SharePoint Server 2016 or 2019 should apply the latest security updates as per Microsoft’s guidance:
    • For critical zero-day mitigation, SharePoint Server 2019 customers should apply the emergency security update KB5002754 (out-of-band patch).
    • Additionally, apply the latest cumulative security update for SharePoint Server 2019: KB5002741.
  • For SharePoint Server 2016, customers should install both updates:
    • Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760)
    • Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759)
  • • Machine key rotation can be performed manually via PowerShell using the Update-SPMachineKey
    • Alternatively, trigger the Machine Key Rotation timer job in SharePoint Central Administration by navigating to Monitoring > Review job definitions, searching for the “Machine Key Rotation Job,” and selecting “Run Now.”
    • After rotation, restart IIS on all servers using exe. Cryptographic Key Rotation: Since attackers can steal SharePoint’s MachineKey configuration (including ValidationKey and DecryptionKey), simply applying patches is insufficient. It is critical to rotate all SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers to invalidate any forged or maliciously crafted ViewState

    Dedicated to hunting and eradicating the world’s most challenging threats.
    

    SpiderLabs
    • If AMSI cannot be enabled, key rotation must be done after installing the security update.
  • Enable and Harden Antimalware Scan Interface (AMSI) and Endpoint Protection: Configure AMSI integration in SharePoint and enable “Full Mode” for optimal protection. Deploy Microsoft Defender Antivirus or equivalent antimalware solutions on all SharePoint servers.
    • AMSI integration has been enabled by default starting with the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Subscription Edition.
    • If AMSI cannot be enabled, consider disconnecting affected SharePoint servers from the Internet until the update can be applied.
  • Network Segmentation and Isolation: Isolate SharePoint servers in segmented network zones with restricted access to reduce the risk of lateral movement if compromised.
    • Use firewall rules and network security groups to limit inbound and outbound connections strictly to essential services and block known malicious IP addresses associated with exploitation campaigns.

Indicators of Compromise (IoCs)

Table 1. Verified public IOCs associated with the exploitation of Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025- 53770, aka ToolShell)