Warning: Emergency Patch for Exploited Remote Code Execution Vulnerability in SharePoint On-Premises, Patch Immediately!

• Last update: 24/07/2025
• Affected software:
  → Microsoft SharePoint Server Subscription Edition
  → Microsoft SharePoint Server 2019
  → Microsoft SharePoint Server 2016
• Type: Remote Code Execution, Path traversal
• CVE/CVSS
  → CVE-2025-53770: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  → CVE-2025-53771: CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

Sources

Microsoft - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Risks

Microsoft published an emergency security update for two vulnerabilities that are being actively exploited (CVE-2025-53770 and CVE-2025-53771). The vulnerabilities were first addressed in the July Patch Tuesday (as CVE-2025-49704 and CVE-2025-49706), but threat actors developed exploits that bypass this exploit chain, also known as ToolShell.

As a result, an unauthenticated threat actor can gain full access to SharePoint content, including file systems and internal configurations, and execute code remotely,and move laterally across the Windows domain, while bypassing identity protections such as MFA or SSO. Since SharePoint often connects to core services such as Outlook, Teams and OneDrive, a breach can quickly lead to data theft, password harvesting and lateral movement across the network.

Threat actors were observed dropping malicious ASPX payloads via PowerShell and stealing machine keys to maintain persistence. Therefore, patching must be followed by rotating the SharePoint Server ASP.NET machine keys to invalidate future IIS tokens created by malicious actors. Additionally, persistent backdoors were observed that can survive reboots and updates. If you see signs of compromise, do a thorough forensic investigation and if in doubt, consult expert incident response services.

The vulnerabilities affect on-premises SharePoint instances and emergency patches are available.

Description

CVE-2025-53770 is a deserialization of untrusted data vulnerability in on-premises Microsoft SharePoint Server that allows an unauthorized attacker to execute code over the network.

CVE-2025-53771 is path traversal vulnerability caused by improper limitation of a path name to a restricted directory. It affects Microsoft Office SharePoint and allows an authorized attacker to perform spoofing over a network.

The two vulnerabilities are actively exploited. They are the result of an exploit bypassing the patching of vulnerabilities CVE-2025-49704 and CVE-2025-49706, also known as ToolShell. Systems that already applied the July Patch Tuesday at time of publication are not safe. The emergency patch needs to be applied.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends, to follow Microsoft’s emergency guidance:

• Use supported versions of on-premises SharePoint Server.
• Install the latest security updates, including the July 2025 Security Update.
• Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution.
• Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions.
• Rotate SharePoint Server ASP.NET machine keys.

In case of a compromise:

• Isolate or shut down affected SharePoint servers. Blocking via firewall is not enough as persistence may already exist.
• Renew all credentials and system secrets that could have been exposed via the malicious ASPX.
• Engage your incident response team or a trusted cybersecurity firm.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

Multiple sources are providing Indicators of Compromises and instructions for monitoring:

• Monitor for HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770.
• Look for process creations where w3wp.exe is spawning encoded PowerShell involving the spinstall0 file or the file paths it has been known to be written to.
• Thoroughly scan your environment for any suspicious behaviour. If your organization is connected to our MISP community, see UUID 26381ce0-15a3-47f6-8ece-4fc7309789ba. The CCB also created an IOC package with (password:infected) for people who don't have MISP: https://fedsender.belnet.be/?s=download&token=d4f4cd66-d365-4702-a9a6-30e301755cef.
• Update 24-07-2025: A new in-memory .dll payload related to the ToolShell exploit has been observed (SHA-256: 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997), which collects system information and sensitive SharePoint machine keys directly from memory, transmitting them in a single request without writing a static file to disk. This advancement implies that traditional file-based IoCs, such as the presence of spinstall0.aspx, may no longer reliably indicate compromise.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

CISA - https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
Sophos - https://news.sophos.com/en-us/2025/07/21/sharepoint-toolshell-vulnerabilities-being-exploited-in-the-wild/
Palo Alto Networks IOCs - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt
Neo23x0 Yara Rule - https://github.com/Neo23x0/signature-base/blob/master/yara/expl_sharepoint_jul25.yar#L3
CCB IOC package (password:infected) - https://fedsender.belnet.be/?s=download&token=d4f4cd66-d365-4702-a9a6-30e301755cef