The above vulnerability allows the deserialization of untrusted data bypassing authentication, and allows an attacker to bypass fixes made in July security bulletins for vulnerabilities CVE-2025-49704 and CVE-2025-49706. CVE-2025-53771, a patch bypass for another vulnerability from the ToolShell chain (CVE-2025-49706), which allows an unauthenticated user to access information without affecting service availability, was published simultaneously. Both security vulnerabilities – for unauthorized access to data and unauthorized code execution – were disclosed at Trend Micro’s Zero Day Initiative Pwn2Own Berlin 2025, but the new patches contain more robust protections than their originals developed at that conference.

Attack mechanism

• The attacker sends a crafted POST request to the endpoint /_layouts/*/ToolPane.aspx which deserializes malicious objects in the IIS context.
• After obtaining code execution, the webshell spinstall0.aspx is installed in the Layouts directory.
• From the webshell, the ValidationKey and DecryptionKey cryptographic keys are extracted.
• Using the stolen keys, the attackers sign further requests to the server and fully take control of the server, regardless of the subsequent removal of the webshell.

Vulnerable SharePoint Versions and Recommended Protective Actions

To protect against vulnerabilities, immediately apply the latest patches for all supported versions of SharePoint Server 2016, 2019 and Subscription Edition and make sure Antimalware Scan Interface (AMSI) integration is enabled and properly configured, preferably in Full Mode with Microsoft Defender Antivirus on SharePoint servers.

After installing patches and running AMSI, it’s a good idea to rotate ASP.NET Machine Keys and restart IIS according to SharePoint documentation.

If it is not possible to patch immediately, disconnect SharePoint servers from the Internet or restrict traffic to an authenticated VPN/proxy.

The SharePoint versions affected by the vulnerability and their corresponding security updates are summarized below.

Attacks exploiting CVE-2025-53770 vulnerability

The first attempts to exploit the CVE-2025-53770 vulnerability were reported as early as July 7, 2025, against government infrastructure in the US and Western Europe. Microsoft has officially confirmed active attempts to exploit the vulnerabilities, so far more than 80 SharePoint installations have been confirmed infected using the vulnerability, including a SharePoint farm belonging to the National Nuclear Security Administration, part of the US government’s Department of Energy.

Researchers noted that Chinese state groups Linen Typhoon and Violet Typhoon and the Storm-2603 actor were involved in the attack attempts, using the ToolShell chain for unauthorized access.

The post Microsoft SharePoint zero-day exploit (CVE-2025-53770) appeared first on Engagy360.