Microsoft SharePoint zero-day exploit (CVE-2025-53770)

On July 19, 2025, Microsoft published a description of the zero-day CVE-2025-53770 vulnerability that allows attacking Microsoft SharePoint on-premises servers through unauthorized remote code execution, posing a serious threat to companies and institutions storing sensitive data on their own infrastructure. SharePoint Online cloud servers are not vulnerable to the above vulnerability.

The above vulnerability allows the deserialization of untrusted data bypassing authentication, and allows an attacker to bypass fixes made in July security bulletins for vulnerabilities CVE-2025-49704 and CVE-2025-49706. CVE-2025-53771, a patch bypass for another vulnerability from the ToolShell chain (CVE-2025-49706), which allows an unauthenticated user to access information without affecting service availability, was published simultaneously. Both security vulnerabilities – for unauthorized access to data and unauthorized code execution – were disclosed at Trend Micro’s Zero Day Initiative Pwn2Own Berlin 2025, but the new patches contain more robust protections than their originals developed at that conference.

Attack mechanism

• The attacker sends a crafted POST request to the endpoint /_layouts/*/ToolPane.aspx which deserializes malicious objects in the IIS context.
• After obtaining code execution, the webshell spinstall0.aspx is installed in the Layouts directory.
• From the webshell, the ValidationKey and DecryptionKey cryptographic keys are extracted.
• Using the stolen keys, the attackers sign further requests to the server and fully take control of the server, regardless of the subsequent removal of the webshell.

Vulnerable SharePoint Versions and Recommended Protective Actions

To protect against vulnerabilities, immediately apply the latest patches for all supported versions of SharePoint Server 2016, 2019 and Subscription Edition and make sure Antimalware Scan Interface (AMSI) integration is enabled and properly configured, preferably in Full Mode with Microsoft Defender Antivirus on SharePoint servers.

After installing patches and running AMSI, it’s a good idea to rotate ASP.NET Machine Keys and restart IIS according to SharePoint documentation.

If it is not possible to patch immediately, disconnect SharePoint servers from the Internet or restrict traffic to an authenticated VPN/proxy.

The SharePoint versions affected by the vulnerability and their corresponding security updates are summarized below.

SharePoint version	Amendment number	KB
SharePoint Server Subscription Edition	16.0.18526.20508	KB5002768
SharePoint Server 2019	16.0.10417.20037	KB5002754 (server) and KB5002753 (language pack)
SharePoint Enterprise Server 2016	16.0.5513.1001	KB5002760 (server) and KB5002759 (language pack)

Attacks exploiting CVE-2025-53770 vulnerability

The first attempts to exploit the CVE-2025-53770 vulnerability were reported as early as July 7, 2025, against government infrastructure in the US and Western Europe. Microsoft has officially confirmed active attempts to exploit the vulnerabilities, so far more than 80 SharePoint installations have been confirmed infected using the vulnerability, including a SharePoint farm belonging to the National Nuclear Security Administration, part of the US government’s Department of Energy.

Researchers noted that Chinese state groups Linen Typhoon and Violet Typhoon and the Storm-2603 actor were involved in the attack attempts, using the ToolShell chain for unauthorized access.