Blog Home  »  Security Bulletin   »   CVE-2025-53770: SharePoint Zero-Day Under Active Exploitation
Sidebar Banner

CVE-2025-53770: SharePoint Zero-Day Under Active Exploitation

Posted DateJuly 23, 2025
Author Bio
Posted Time 4   min Read

CVE-2025-53770 is a live, high-severity threat that is already being exploited across global networks. This critical vulnerability in Microsoft SharePoint Server allows unauthenticated attackers to execute arbitrary code remotely, effectively handing them the keys to your infrastructure.

As of July 2025, over 85 SharePoint servers have reportedly been breached. And if your organization uses SharePoint 2016, 2019, or Subscription Edition on-premises, you could be next.

CVE-2025-53770 – Risk Analysis

Severity: CRITICAL
CVSSv3.1: Base Score: 9.8 CRITICAL
Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit available in public: Yes
Exploit complexity: Low

At its core, CVE-2025-53770 is a remote code execution (RCE) flaw that allows attackers to run code on a SharePoint server without needing credentials. The vulnerability arises from the unsafe deserialization of untrusted data, a long-standing weakness in many enterprise applications.

What makes this case so dangerous is that it bypasses previously issued patches. Earlier in May 2025, a chained exploit called ToolShell was demonstrated at Pwn2Own Berlin, combining CVE-2025-49704 (deserialization) and CVE-2025-49706 (auth bypass). Microsoft issued patches in July, but threat actors were quick to find a loophole. That led to CVE-2025-53770, effectively bypassing previous defenses.

How The Exploit Works

The attack begins with a crafted POST request sent to the vulnerable SharePoint endpoint:

/_layouts/15/ToolPane.aspx

By manipulating the Referer header, attackers can trick the server into believing the request originates from a trusted location like:

/_layouts/SignOut.aspx

This spoofed header bypasses authentication mechanisms tied to session validation. The server proceeds to deserialize attacker-controlled payloads, resulting in code execution. Once inside, the attackers typically drop a web shell (spinstall0.aspx) in the layouts directory, giving them persistent access to the environment.

But it does not stop there. The next step is even more dangerous, they extract the server’s cryptographic machine keys: the ValidationKey and DecryptionKey. These allow attackers to forge authentication tokens and craft malicious payloads that appear completely legitimate.

What Makes CVE-2025-53770 Dangerous

  • No authentication required – The exploit works against exposed servers without needing login credentials.
  • Patch bypass – Allows attackers to sidestep the July security update for CVE-2025-49704.
  • Key theft enables persistence – Attackers do not need to maintain a file on the server; they can keep returning with signed payloads.
  • Blends seamlessly into SharePoint – Exploits happen via standard SharePoint endpoints, making detection difficult.
  • Targets multiple industries – From government to healthcare to finance, the campaign is wide-reaching and calculated.

Real-World Exploitation

  • Active exploitation was first reported by a Dutch security firm on July 18, 2025. Within days, security vendors and government agencies confirmed the scale of the threat. CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog, urging organizations to patch by July 21.
  • Meanwhile, threat actors continue to scan the internet for exposed servers. Security researchers using FOFA found over 200,000 potentially reachable SharePoint instances, an enormous attack surface.
  • The method of attack reflects a strategic and targeted approach. It is not opportunistic malware; it is targeted exploitation aimed at persistence and stealth.

Microsoft’s Response

Microsoft responded by issuing emergency patches for supported versions of SharePoint:

  • SharePoint Server 2019: Update KB5002754 (Build 16.0.10417.20037)
  • SharePoint Subscription Edition: Update KB5002768 (Build 16.0.18526.20508)
  • SharePoint 2016: Patch KB5002760 (Build 16.0.5513.1001)

Each update is described as containing “more robust protections” than the July patches. The focus now is on sealing the bypass vectors and improving session validation and deserialization handling.

Mitigation Strategy: What To Do Now

If you are running on-premise SharePoint, immediate patching is non-negotiable. But patching alone won’t reverse the damage if a server has already been breached. Here is what organizations must do post-patching:

  • Rotate ASP.NET machine keysReset ASP.NET machine keys – Generate new ValidationKey and DecryptionKey values to render any stolen credentials useless.
  • Hunt for web shells – Look for the presence of aspx in the layouts directory or unusual ASPX files.
  • Enable AMSI integration – This allows runtime script scanning and is enabled by default on newer builds.
  • Scan for abnormal process behavior – Investigate if exe has spawned suspicious processes like:

w3wp.exe → cmd.exe → powershell.exe -EncodedCommand
This pattern often indicates post-exploitation activity.

This process chain is a strong indicator of compromise and can help defenders catch stealthy exploitation.

CVE-2025-53770 highlights how rapidly attackers adapt to security fixes. More than ever, organizations need layered defenses, rapid key rotation, and forensic visibility into high-value systems like SharePoint.

And perhaps most critically: on-prem environments need the same vigilance and protection as cloud infrastructure. SharePoint Online may be unaffected, but for those maintaining legacy systems, this exploit is a wake-up call.

CVE-2025-53770: AppTrana WAAP Coverage

AppTrana WAAP customers are protected from this exploitation from Day 0, leveraging real-time threat intelligence and robust zero-day defense mechanisms.

Even if your SharePoint servers are not immediately patched, AppTrana’s managed ruleset and continuous monitoring can help block malicious payloads and RCE attempts. This ensures critical coverage during the patch window, reducing the risk of compromise from zero-day and actively exploited vulnerabilities.

These PoC-driven screenshot(s) showcase AppTrana’s ability to identify and halt exploitation attempts effectively.

CVE-2025-53770 Zero-day blocked: AppTrana protection snapshot

AppTrana detects and stops CVE-2025-53770 exploit

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

Deepak
Deepak Kumar Choudhary

Deepak Choudhary is an adept Security Researcher at Indusface. He specializes in developing detection logic and signatures to identify various security vulnerabilities, including 0-day vulnerabilities, making him a frontline defender of digital environments.Driven by his passion for cyber defense, He continuously seeks to expand his knowledge of security concepts. He eagerly tackles the task of resolving vulnerable systems on platforms such as TryHackMe and HackTheBox, sharpening his skills in real-world scenarios. Through his expertise and dedication, he is committed to fortifying digital landscapes, ensuring a safer online experience for users and organizations alike.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.