CVE-2025-53770 & CVE-2025-53771: Critical On-Prem SharePoint Vulnerabilities

Key Takeaways

• Two zero-day vulnerabilities discovered in on-premise Microsoft SharePoint servers, tracked as CVE‑2025‑53770 and CVE‑2025‑53771.
• Affected versions include: Subscription Edition – KB5002768, SharePoint 2019 – KB5002754, SharePoint 2016 – KB5002760. 
• If exploited, these vulnerabilities could allow for remote code execution (RCE). 
• Cybereason has observed ongoing active exploitation attempts of these vulnerabilities through our Global SOC monitoring. 
• With this exploit, we recommend taking an “assume compromised” posture, immediately patching impacted versions, and conducting incident response historical look back. 

Background

Two zero-day vulnerabilities, tracked as CVE‑2025‑53770 and CVE‑2025‑53771, have been discovered in on-premise Microsoft SharePoint servers. These vulnerabilities have CVSS v3.1 scores of 9.8 (Critical) and 6.3 (High), respectively. Affected versions include Subscription Edition – KB5002768, SharePoint 2019 – KB5002754, SharePoint 2016 – KB5002760. Together, these vulnerabilities could allow an unauthorized user to execute remote code over a network. 

These vulnerabilities are related to an earlier set of CVEs, dubbed “ToolShell”, which were tracked as CVE-2025-49706 and CVE-2025-49704, and were patched in Microsoft’s latest July Patch Tuesday. These were originally considered “proof-of-concept” vulnerabilities demonstrated at Pwn2Own Berlin, used to achieve remote code execution. The latest set of vulnerabilities (CVE-2025-53770 and CVE-2025-53771) are able to bypass the previous vulnerabilities, allowing threat actors to gain entry and perform attacks against on-premise SharePoint servers.

Sharepoint Vulnerabilities Timeline

Below is a timeline of constructed events according to the Cybereason DFIR and GSOC teams:

1. May 2025 – At Pwn2Own Berlin, Viettel Cyber Security demonstrated a chained SharePoint attack (ToolShell) using CVE-2025-49704 (deserialization RCE) and CVE-2025-49706 (auth bypass).
2. July 9, 2025 (Patch Tuesday) – Microsoft released fixes for CVE‑2025‑49704 and CVE‑2025‑49706.
3. July 14, 2025 – CODE WHITE GmbH reproduced the ToolShell exploit chain.
4. July 18, 2025 – Eye Security observed active exploitation of SharePoint servers, initially attributing it to the previous CVEs.
5. Evening of July 18, 2025– Eye Security began investigating and discovered it was a new zero‑day.
6. July 20, 2025 – Microsoft officially acknowledged active attacks and assigned CVE‑2025‑53770, adding it to CISA’s Known Exploited Vulnerabilities catalog.
7. July 20–21, 2025 – Microsoft released emergency patches for SharePoint Server Subscription Edition and 2019; patches for SharePoint 2016 still developing.
8. July 21, 2025 – Cybereason is monitoring globally protected clients through our MDR services and are witnessing follow-on threat actors beginning to leverage a variety of webshells and varying attack patterns to move through the Cybereason Intrusion Path.
9. July 22, 2025 – Microsoft attributes initial zero-day and related SharePoint attacks to several China-linked hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. Cybereason assesses with high confidence that follow-on threat actor groups have and will continue to weaponize the vulnerability for eCrime/financially motivated purposes.

Recommendations

• Assume Compromise: If your Sharepoint server is/was internet-facing at the time of these CVEs being identified we recommend the following: 
  
  • Isolate and/or shut down impacted Sharepoint server(s) pending patch application and incident response investigation
  • Enable AMSI in Full Mode
  • Rotate ASP.NET Machine Keys after patching or enabling AMSI: Use PowerShell (Update-SPMachineKey) or run the job in Central Admin
  • Restart IIS with iisreset.exef consistent with Microsoft documentation
    
    

• Historical (Lookback) Incident Response Investigation Recommendations:
  
  • Search for POST requests containing: /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Look for Referer header / _layouts/SignOut.aspx and possibly user agent Firefox/120.0 or its URL-encoded form.
  • Rotate SharePoint ASP.NET machine keys. These keys were targeted by the initial threat actor to generate valid ViewState tokens. Follow-on threat actors appear to be deviating from the pattern focused on internal network pivots (and this has been observed)
  • Scan for .aspx webshells in layouts folder (e.g., spinstall0.aspx) and other suspicious files, focusing on recently created files.
  • Investigate w3wp.exe processes spawning encoded PowerShell scripts.
    
    • Unauthorized .aspx files (e.g., spinstall0.aspx) in the \layouts folder
    • Process chains like w3wp.exe → cmd.exe → PowerShell
  • Search for any additional webshells or malicious .aspx files that may have been installed due to CVE-2025-53770 exploitation, regardless of naming conventions.
  • Intermittent stop gap: If you are a Microsoft Client, enable the Antimalware Scan Interface (AMSI) and install Microsoft Defender for Endpoint/Antivirus (or equivalent) on all SharePoint servers. 
    • If you have an alternative EDR solution, it is likely that the vendor has or is releasing updated detection process and playbooks.
    • If you have an MDR provider, you should inquire as to their detection and alert protocols for this exploit and if they have conducted an active investigation into potential exploitation. 
  • Intermittent stop gap: Add IPS/WAF signatures to block exploit; specifically POST requests to ToolPane.aspx with matching Referers.
  • If patches cannot be applied immediately or AMSI cannot be enabled, disconnect public-facing SharePoint servers from the internet until remediation is complete.
  • Enhance server logging (IIS, Sysmon, Windows Event) to detect abnormal POSTs, new file writes under layouts, and suspicious script execution chains.
    
    

We also strongly recommend engaging an incident response team to confirm thoroughness of investigation and confirmed threat actor ejection. 

Our team is standing by to answer any questions relating to these vulnerabilities. Reach us 24x7 at response@cybereason.com.

About the Author

Devon Ackerman, Global Head of DFIR, Cybereason

Devon Ackerman is the Global Head of DFIR at Cybereason. Devon leverages over 15 years of experience in the cybersecurity industry, with a focus on Digital Forensics and Incident Response. He has built, managed, and led large global incident response teams, and has worked hundreds of incident response engagements, including some of the most complex in the world.