• Thread Author
A digital illustration of Microsoft SharePoint in a data center with interconnected icons and servers.
Microsoft has recently disclosed a critical security vulnerability, identified as CVE-2025-53770, affecting on-premises SharePoint Server installations. This flaw enables unauthenticated attackers to execute arbitrary code remotely, posing a significant risk to organizations relying on SharePoint for collaboration and document management.
Understanding CVE-2025-53770
CVE-2025-53770 is a remote code execution (RCE) vulnerability stemming from the deserialization of untrusted data within Microsoft SharePoint Server. This flaw allows attackers to execute arbitrary code over a network without authentication, potentially leading to full system compromise. Microsoft has confirmed active exploitation of this vulnerability in the wild, underscoring its severity. (msrc.microsoft.com)
Affected Versions
The vulnerability impacts the following on-premises versions of SharePoint Server:
  • SharePoint Server 2016
  • SharePoint Server 2019
  • SharePoint Server Subscription Edition
Notably, SharePoint Online, as part of Microsoft 365, is not affected by this vulnerability. (msrc.microsoft.com)
Exploitation Details
Attackers have been observed exploiting CVE-2025-53770 by sending crafted requests to vulnerable SharePoint servers. These requests trigger the deserialization flaw, allowing the installation of web shells such as spinstall0.aspx to maintain persistent access. This method, referred to as "ToolShell," enables attackers to gain full control over the affected servers without authentication. (criticalpathsecurity.com)
Mitigation Strategies
While a security patch is forthcoming, Microsoft has provided interim mitigation measures to protect vulnerable systems:
  • Enable AMSI Integration: Configure the Antimalware Scan Interface (AMSI) integration in SharePoint Server. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. (msrc.microsoft.com)
  • Deploy Microsoft Defender Antivirus: Ensure that Microsoft Defender Antivirus is running on all SharePoint servers to detect and block exploitation attempts. (msrc.microsoft.com)
  • Implement Microsoft Defender for Endpoint: Deploy Defender for Endpoint to monitor and block post-exploit activities. (msrc.microsoft.com)
  • Restrict Internet Access: If enabling AMSI is not feasible, consider disconnecting the server from the internet until a security update is available. (msrc.microsoft.com)
Detection and Monitoring
Organizations should actively monitor their SharePoint environments for indicators of compromise:
  • File Creation: Look for the creation of spinstall0.aspx in the MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS directory, which indicates successful exploitation. (msrc.microsoft.com)
  • Suspicious HTTP Requests: Monitor for unusual POST requests targeting /_layouts/15/ToolPane.aspx and HTTP requests with /_layouts/SignOut.aspx as the referer header. (criticalpathsecurity.com)
  • Defender Alerts: Be vigilant for alerts such as "Possible web shell installation" and "Possible exploitation of SharePoint server vulnerabilities" in Microsoft Defender Security Center. (msrc.microsoft.com)
Advanced Hunting Queries
Microsoft has provided sample queries for advanced hunting in Microsoft 365 Defender to detect exploitation activities:
Code:
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
This query helps identify the creation of the spinstall0.aspx file, a known indicator of exploitation. (msrc.microsoft.com)
Industry Response
The cybersecurity community has responded promptly to this threat. The Canadian Centre for Cyber Security has issued an alert emphasizing the critical nature of CVE-2025-53770 and urging organizations to implement Microsoft's recommended mitigations. (cyber.gc.ca) Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the active exploitation of this vulnerability and provided guidance on detection and prevention measures. (cisa.gov)
Conclusion
CVE-2025-53770 represents a significant security risk to organizations utilizing on-premises SharePoint Server installations. Immediate action is required to implement the recommended mitigations and monitor for signs of exploitation. Organizations should stay informed through official channels for updates on the availability of a security patch and apply it promptly upon release.
By proactively addressing this vulnerability, organizations can safeguard their SharePoint environments against potential attacks and maintain the integrity of their collaborative platforms.

Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Back
Top