Microsoft has recently issued an urgent security advisory concerning a critical vulnerability, designated as CVE-2025-53770, affecting on-premises SharePoint Server installations. This flaw is actively being exploited in the wild, posing significant risks to organizations relying on SharePoint for internal document sharing and collaboration.
CVE-2025-53770 is a remote code execution (RCE) vulnerability stemming from the deserialization of untrusted data within on-premises Microsoft SharePoint Servers. This flaw allows unauthorized attackers to execute arbitrary code over a network without requiring user interaction. Notably, SharePoint Online, as part of Microsoft 365, remains unaffected by this vulnerability.
The vulnerability is a variant of CVE-2025-49706, an authentication bypass issue previously addressed by Microsoft. Despite earlier patches, attackers have identified new methods to exploit SharePoint servers, leading to the emergence of CVE-2025-53770.
The attack chain, referred to as "ToolShell," leverages a combination of vulnerabilities to achieve unauthorized access and control over SharePoint servers. This method underscores the sophistication of the threat actors and the critical nature of the vulnerability.
Source: Zee News Microsoft Issues Urgent Security Patch After ‘Active Attacks’ On Document-Sharing Software
Understanding CVE-2025-53770
CVE-2025-53770 is a remote code execution (RCE) vulnerability stemming from the deserialization of untrusted data within on-premises Microsoft SharePoint Servers. This flaw allows unauthorized attackers to execute arbitrary code over a network without requiring user interaction. Notably, SharePoint Online, as part of Microsoft 365, remains unaffected by this vulnerability. The vulnerability is a variant of CVE-2025-49706, an authentication bypass issue previously addressed by Microsoft. Despite earlier patches, attackers have identified new methods to exploit SharePoint servers, leading to the emergence of CVE-2025-53770.
Active Exploitation and Attack Methodology
Reports indicate that attackers have been actively exploiting CVE-2025-53770 since at least July 18, 2025. The exploitation involves deploying web shells, such asspinstall0.aspx, to maintain persistent access to compromised servers. These web shells are used to extract cryptographic secrets, including the MachineKey configuration, which comprises the ValidationKey and DecryptionKey. Possession of these keys enables attackers to impersonate users or services, effectively turning any authenticated SharePoint request into an opportunity for remote code execution. The attack chain, referred to as "ToolShell," leverages a combination of vulnerabilities to achieve unauthorized access and control over SharePoint servers. This method underscores the sophistication of the threat actors and the critical nature of the vulnerability.
Microsoft's Response and Mitigation Measures
In response to the active exploitation, Microsoft has provided interim mitigation guidance, as a comprehensive security update is still under development. Organizations are strongly advised to implement the following measures:- Enable Antimalware Scan Interface (AMSI) Integration: Configuring AMSI integration within SharePoint servers enhances the detection and prevention of malicious activities. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
- Deploy Microsoft Defender Antivirus: Ensuring that Microsoft Defender Antivirus is active on all SharePoint servers provides an additional layer of protection against exploitation attempts.
- Disconnect Vulnerable Servers from the Internet: If enabling AMSI is not feasible, it is recommended to disconnect the affected SharePoint servers from the internet until a security update becomes available.
- Implement Microsoft Defender for Endpoint: Deploying Defender for Endpoint aids in detecting and blocking post-exploitation activities, thereby mitigating potential damage.
spinstall0.aspx files in the SharePoint Layouts directory and unusual HTTP POST requests targeting /_layouts/15/ToolPane.aspx. Regularly reviewing IIS logs for unexpected referer headers pointing to /_layouts/SignOut.aspx can also help identify potential exploitation attempts. Broader Implications and Recommendations
The exploitation of CVE-2025-53770 highlights the persistent threats facing on-premises SharePoint Server deployments. Organizations utilizing these servers must remain vigilant and proactive in implementing security measures. Beyond the immediate mitigations, it is crucial to:- Conduct Comprehensive Security Assessments: Regularly evaluate the security posture of SharePoint servers to identify and address potential vulnerabilities.
- Stay Informed on Security Updates: Monitor official communications from Microsoft and cybersecurity agencies for updates on patches and additional guidance.
- Consider Migration to SharePoint Online: Organizations should evaluate the feasibility of transitioning to SharePoint Online, which benefits from continuous security updates and is not affected by this vulnerability.
Source: Zee News Microsoft Issues Urgent Security Patch After ‘Active Attacks’ On Document-Sharing Software
