Overview
On Saturday July 19, 2025, Microsoft released an advisory for CVE-2025-53770, a critical Remote Code Execution (RCE) vulnerability affecting on-premise SharePoint servers. This vulnerability has been exploited in the wild as a zero-day by an unknown threat actor prior to the disclosure from Microsoft. The vulnerability is described as an unauthenticated deserialization of untrusted data issue, and has a CVSS base score of 9.8 (Critical).
This vulnerability is being used in widespread, aggressive campaigns to achieve RCE, establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens. This campaign is not opportunistic - it is deliberate, capable, and designed for persistence even after patching. Rapid7 has observed active exploitation in customer environments and is sharing indicators of compromise, and detection guidance to help defenders respond quickly.
Microsoft has described CVE-2025-53770 as being related to a previous vulnerability, CVE-2025-49704. CVE-2025-49704 was patched in July 2025. It appears that the new vulnerability, CVE-2025-53770, is a patch bypass. Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704.
Microsoft has also released an advisory for a second new vulnerability, CVE-2025-53771. It is currently unclear if this second vulnerability is also being exploited in the wild as part of an exploit chain with CVE-2025-53770. Microsoft has indicated that the patches for CVE-2025-53771 also include more “robust protections” than the July update for another previous vulnerability CVE-2025-49706.
To understand why the two new vulnerabilities CVE-2025-53770 and CVE-2025-53771 are related to two previous vulnerabilities CVE-2025-49704 and CVE-2025-49706, we must clarify what those older vulnerabilities are.
The previous vulnerability, CVE-2025-49704, was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May of 2025. During the competition, Viettel Cyber Security chained together two vulnerabilities, an authentication bypass (CVE-2025-49706), and a deserialization of untrusted data vulnerability (CVE-2025-49704) to achieve unauthenticated RCE. The Pwn2Own exploit chain from May 2025 was dubbed “ToolShell”. The new vulnerability, CVE-2025-53770, currently being exploited in the wild appears to be a patch bypass for CVE-2025-49704. It also appears that CVE-2025-53771 is a patch bypass for CVE-2025-49706, however Microsoft has indicated that CVE-2025-53771 has not been exploited in the wild.
On Sunday July 20, 2025, CISA added CVE-2025-53770 to the Known Exploited Vulnerabilities (KEV) catalog.
Mitigation guidance
The vendor has begun to supply patches for affected SharePoint editions. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur.
Microsoft SharePoint Server Subscription Edition is fixed in build 16.0.18526.20508 (KB5002768).
Microsoft SharePoint Server 2019 is fixed in build 16.0.10417.20037 (KB5002754).
- Microsoft SharePoint Enterprise Server 2016 is fixed in build 16.0.5513.1001 (KB5002760).
For the latest mitigation guidance, please refer to the vendor advisory.
In addition to applying available mitigations, organizations should:
Conduct a compromise assessment, especially if SharePoint is exposed externally.
Rotate cryptographic keys (e.g., ValidationKey, DecryptionKey) once mitigations are applied.
Monitor for anomalous behavior on SharePoint servers and investigate any unauthorized ASPX file activity.
Rapid7 customers
MDR
Rapid7 MDR is actively detecting this activity via behavioral analytics. One effective high-confidence detection involves process chains spawned from the IIS worker process.
In particular: w3wp.exe ➝ cmd.exe ➝ powershell.exe -EncodedCommand
This pattern is not normal for SharePoint servers and should be treated as indicative of compromise and proven effective in detecting exploitation attempts of CVE-2025-53770.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-53770, including indicators of compromise (IOCs), Yara rules and emerging TTPs.
InsightVM and Nexpose
InsightVM and Nexpose customers can assess exposure to CVE-2025-53770 and CVE-2025-53771 with authenticated checks available in the July 21 content release. Authenticated checks for CVE-2025-49704 and CVE-2025-49706 have been available since the July 8 content release.
Technical details
The exploit chain demonstrates a dangerous evolution in SharePoint exploitation techniques, blending old deserialization tricks with new methods of persistence and privilege escalation.
Initial access begins with a specially crafted POST request to the vulnerable SharePoint endpoint: /_layouts/*/ToolPane.aspx
This request leverages the way SharePoint renders controls on the page, ultimately coercing the server into executing embedded PowerShell commands. Once the attacker achieves execution, a malicious web shell named spinstall0.aspx is deployed to the server’s layouts directory.
But this is just the foothold. What follows is a more sophisticated move: the attacker issues a GET request to their web shell and extracts the ValidationKey and DecryptionKey from the SharePoint server. These cryptographic keys are fundamental to how SharePoint authenticates users and protects sensitive session data.
By stealing these secrets, attackers are no longer limited to reusing their initial exploit path. They can now forge their own authentication tokens, impersonate users, and craft valid payloads. There are tools available that make it easy to serialize malicious objects and sign them using the stolen keys. The result is full remote code execution (RCE) - without any need for the attacker to maintain access to the original vulnerable endpoint.
This technique is inspired by earlier attacks, notably CVE-2021-28474, where exploitation hinged on signing a malicious ViewState payload with the correct ValidationKey. Previously, this required access to the configuration file or memory - now, attackers simply steal those keys post-exploitation and move to the next phase.
What makes this particularly dangerous is that the persistence isn't just at the file level. Even if defenders remove the web shell or block access to ToolPane.aspx, the stolen cryptographic keys allow attackers to re-enter the environment at will, using signed payloads that are indistinguishable from legitimate traffic.
Indicators of compromise (IOCs)
IP Addresses (Observed in exploitation)
107.191.58[.]76
104.238.159[.]149
96.9.125[.]147
User-Agent Strings
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
URL-encoded variant for log searches: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0
Malicious File
spinstall0.aspx (web shell)
SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
Disk path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx
Updates
July 22, 2025: Added new remediation info for Microsoft SharePoint Enterprise Server 2016. Clarified that InsightVM checks shipped on July 21.