Microsoft has issued urgent guidance following the discovery of two zero-day vulnerabilities affecting on-premises Microsoft SharePoint servers, identified as CVE-2025-53770 and CVE-2025-53771. These vulnerabilities are actively being exploited in the wild.
What are CVE-2025-53770 and CVE-2025-53771?
CVE-2025-53770 (CVSS 9.8) is a critical RCE vulnerability caused by unsafe deserialization of untrusted data in on-premises SharePoint Servers. This forms the execution stage of the “ToolShell” exploit chain.
CVE-2025-53771 (CVSS 6.3) is a spoofing vulnerability caused by a header spoofing vulnerability in SharePoint’s request handling. It allows attackers to bypass authentication by crafting a request that mimics a legitimate SharePoint workflow using a forged Referer header.
These vulnerabilities are chained together in an exploit known as ToolShell:
CVE-2025-53771 enables unauthenticated access (auth bypass).
CVE-2025-53770 enables the attacker to execute code (RCE).
Importantly, these are not brand-new bugs, but variants of earlier vulnerabilities:
CVE-2025-53770 is a bypass of the fix for CVE-2025-49704 (original deserialization/RCE).
CVE-2025-53771 is a bypass of the fix for CVE-2025-49706 (original spoofing bug).
Although Microsoft patched CVE-2025-49704 and CVE-2025-49706 in the July 2025 Patch Tuesday release, threat actors recently found new paths to exploit the same core logic, prompting Microsoft to assign new CVEs and release emergency fixes.
In many reported cases, it remains unclear whether observed in-the-wild exploitation reflects abuse of the original CVEs or their bypasses.
These flaws affect on-premises SharePoint servers only and are not applicable to Microsoft 365 SharePoint Online.
Who is Affected?
The vulnerabilities apply exclusively to on-premises deployments of Microsoft SharePoint Server. This includes servers running on physical hosts as well as self-managed SharePoint instances running in the cloud.
The impacted SharePoint versions are:
SharePoint Server Subscription Edition - earlier than KB5002768
SharePoint Server 2019 - earlier than 16.0.10417.20027 / KB5002754
SharePoint Server 2016
While SharePoint Server 2010 and 2013 have reached end-of-life and are therefore no longer supported, they are still noted by Microsoft as affected.
According to Microsoft, SharePoint Online in Microsoft 365 is NOT impacted.
What’s the risk to cloud environments?
While SharePoint Online (Microsoft 365) is not affected, self-managed SharePoint Server instances hosted in the cloud (e.g., on Azure, AWS, or GCP) are vulnerable.
According to Wiz data, 9% of cloud environments have resources running vulnerable versions of self-managed SharePoint.
What sort of exploitation has been identified in the wild?
While active exploitation of on-premises Microsoft SharePoint servers using the ToolShell exploit chain has been observed since July 18, 2025, the groundwork for this attack began much earlier- starting with vulnerability disclosures and proof-of-concept demonstrations months prior.
May 2025 - At Pwn2Own Berlin, security researchers from Viettel Cyber Security demonstrated a chained exploit targeting on-premises SharePoint. This exploit combined CVE-2025-49704 (unsafe deserialization) and CVE-2025-49706 (path traversal/spoofing) to achieve unauthenticated remote code execution (RCE). The exploit chain was dubbed ToolShell.
July 9, 2025 (Patch Tuesday) - Microsoft issued fixes for CVE-2025-49704 and CVE-2025-49706. These were believed to fully address the ToolShell chain.
July 14, 2025 – Security researchers from CODE WHITE GmbH publicly reproduced the original ToolShell exploit.
July 18, 2025 - Eye Security identified active exploitation of SharePoint servers in the wild using 0-day bypasses for the original ToolShell vulnerabilities. This marked the first known in-the-wild abuse of the exploit chain. A second wave of attacks was observed on July 19th.
July 20, 2025 - Microsoft acknowledged the attacks and issued an official advisory, assigning CVE-2025-53770 (new unsafe deserialization RCE) and CVE-2025-53771 (server spoofing vulnerability) to the bypass variants. CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog on the same day.
July 21, 2025 - Microsoft released emergency patches for SharePoint Server Subscription Edition and SharePoint Server 2019, fully mitigating the new ToolShell bypasses.
How the ToolShell Exploit Chain Works
Initial Entry (CVE-2025-53771): The attacker sends a POST request to
/_layouts/15/ToolPane.aspx?DisplayMode=Editusing a crafted Referer header (/_layouts/SignOut.aspx) to bypass authentication. This leverages a header spoofing vulnerability that makes SharePoint treat the request as authenticated.Payload Delivery (CVE-2025-53770): With authenticated access to the vulnerable
ToolPane.aspxendpoint, the attacker exploits an insecure deserialization vulnerability by submitting a malicious payload in the POST body. SharePoint deserializes attacker-controlled data without validation, leading to the execution of embedded commands. This results in dropping a stealthy ASPX web shell (e.g.,spinstall0.aspx) into a directory such as:C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\. This web shell grants persistent remote access to the server.Key Extraction: The uploaded web shell is used to extract sensitive cryptographic material, including the
ValidationKeyandDecryptionKeyfrom the server’smachineKeyconfiguration. These keys are critical for forging valid, signed ASP.NET ViewState payloads that SharePoint will trust.Remote Code Execution: Using tools like ysoserial, the attacker crafts malicious
__VIEWSTATEpayloads signed with the stolen keys. Because SharePoint trusts the signature, it deserializes and executes the embedded payloads. This enables unauthenticated remote code execution, even after the initial foothold - completing the attack chain.
Observed IOCs
File name:
spinstall0.aspxSHA256 hash:
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514Referer:
/_layouts/SignOut.aspxPOST to
/_layouts/15/ToolPane.aspx?DisplayMode=EditGET request to
/_layouts/15/spinstall0.aspxProcess name:
w3wp.exespawning encoded PowerShellIP addresses:
107.191.58[.]76,104.238.159[.]149,96.9.125[.]147,103.186.30[.]186File path:
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx
What should security teams do?
Apply the latest SharePoint security updates:
SharePoint Server Subscription Edition (KB5002768)
SharePoint Server 2019 (KB5002754)
Monitor for SharePoint Server 2016 patch availability
Older unsupported versions (2010, 2013) are considered exposed and should be isolated or upgraded
If patching is not possible immediately, take these steps as a workaround solution:
Disconnect internet-facing SharePoint servers if patches or AMSI can’t be applied
Enable AMSI in Full Mode
Rotate ASP.NET Machine Keys after patching or enabling AMSI:
Use PowerShell (
Update-SPMachineKey) or run the job in Central AdminRestart IIS with
iisreset.exe
Assume compromise if the server was exposed to the internet:
Isolate/shut down the server
Revoke credentials and rotate secrets
Engage incident response teams
Audit and reduce layout/admin privileges
Monitor for Indicators of Compromise (IOCs).
How can Wiz help?
Wiz customers can use the prebuilt queries available in the Wiz Threat Intel Center to determine if they have been impacted by these vulnerabilities:
Detect indicators of compromise
References
Eye Security - SharePoint 0-day uncovered (CVE-2025-53770)
CISA - Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)
