Talk With an Expert

Critical SharePoint Zero-Day Exploited: What You Need to Know About CVE-2025-53770

CVE-2025-53770 is likely one of the most critical SharePoint vulnerabilities to date.

Authored byDr. Johannes Ullrich
Dr. Johannes Ullrich

Intro

On Sunday, July 20, Microsoft alerted customers to an actively exploited critical zero-day vulnerability, CVE-2025-53770, affecting SharePoint servers. SharePoint Server 2016, 2019, and the Subscription editions are all susceptible, while SharePoint Online is not affected. Any organizations running on-prem SharePoint are advised to act immediately.

Authentication is entirely bypassed by spoofing the Referer header, allowing attackers to upload files, including a web shell. In some cases, researchers are seeing .Net machine keys being stolen so attackers can maintain access even after patching.

Microsoft issued an emergency patch for SharePoint 2019 on July 20. Microsoft released the patch for SharePoint 2016 July 22. Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, a SANS Faculty Fellow, highly recommends that SharePoint users, especially those still on 2016 move from on-prem SharePoint to SharePoint Online.

If you haven’t already patched, rotated your keys, and checked for signs of compromise, now is the time to prioritize it.

How the Exploit Works

The vulnerability originated from bypassing mitigations for two previously patched bugs, CVE-2025-49704 and CVE-2025-49706. Microsoft has since issued new CVE numbers for the vulnerabilities and is now tracking as CVE-2025-53770 for the remaining deserialization vulnerability and CVE-2025-53771 for the authentication bypass issue. Combining these two flaws enables unauthenticated remote code execution. Microsoft issued a patch for the initial two CVEs, but a bypass was quickly discovered, resulting in an exploit that requires no user interaction and provides full control over a targeted server.

At the center of the exploit is the ToolPane.aspx endpoint. Attackers found it can be tricked into processing unauthorized requests by sending a spoofed Referer header claiming they’re coming from SharePoint’s logout page, SignOut.aspx. Surprisingly, this is enough to fool SharePoint into believing the request is legitimate and skipping login and authentication.

The attacker then uploads a web shell that gives full access to run commands, download files, and traverse to other systems.

To make things worse, attackers go further by stealing the server’s Machine Keys. These keys are used to encrypt the ViewState. Even after a server is patched, an attacker may use these Machine Keys to create a fake ViewState that can be used to compromise the system. After patching, removing any files prior attacks left behind, and deploying an endpoint protection suite like Defender, the administrator MUST rotate the Machine Key, or the system could be compromised again.

What This Means

This exploit presents a serious threat for any organization running a vulnerably SharePoint server:

  • No login required. Anyone with access to the server can get in, even without a username or password.
  • Full control. Attackers can do anything the SharePoint server can do, including reading documents, uploading malware, or attacking other parts of your network.
  • Silent persistence. Even if you apply patches, attackers may still have access if they stole the server’s keys.

The most common exploit seen so far is uploading a web shell. That gives attackers persistent access to execute arbitrary code, even without going through the vulnerability again. Even if the patch is applied, those web shells will remain.

This exploit opens the door to broader risks. Once in SharePoint, attackers may be able to pivot to other systems, publish malicious documents, or even launch ransomware campaigns.

Incident Timeline

  • Pre-July 2025: Exploit chain demonstrated at Pwn2Own by Code White GmbH
  • July 17: Researcher discovers Referer-based bypass
  • July 18-19: Active exploitation confirmed by Eye Security
  • July 19-21: Microsoft advisory, CISA alert, and emergency patch rollout
  • July 21: News breaks of mass exploitation and hundreds of organizations affected

Detection and Mitigation Guidance

If you’re running an on-prem SharePoint Server and haven’t already addressed this zero-day, you should assume your system is compromised. The exploit leaves behind specific clues and is already being used in mass attacks. Here's how to detect it and what to do next.

Review your SharePoint logs and endpoint or SIEM alerts. Key indicators to look for include:

  • Suspicious requests to /ToolPane.aspx
    • Look for HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit, especially if they include a Referer header set to /SignOut.aspx.
  • Presence of a web shell
    • Check your SharePoint layouts directory for unfamiliar .aspx files, especially one named spinstall0.aspx.
  • Unusual server activity
    • Look for the SharePoint IIS worker process (w3wp.exe) launching command-line or PowerShell processes.
  • Known attacker IPs
    • Review logs for any traffic from the following IP addresses:
      • 107.191.58.76

      • 104.238.159.149

      • 96.9.125.147

What to Do Right Now

Whether or not you’ve found signs of compromise, here are steps every on-prem SharePoint admin should take:

1 - Apply Microsoft’s latest security updates

Emergency patches are available for SharePoint Server Subscription Edition and 2019. A patch for SharePoint 2016 is still pending.

2 - Enable AMSI and update antivirus

Make sure SharePoint’s Antimalware Scan Interface (AMSI) is on and that you're running Microsoft Defender or another anti-virus.

3 - Rotate your machine keys

If attackers stole your server’s ValidationKey and DecryptionKey, they could keep getting in even after you patch. These machine keys are used to sign and encrypt the ViewState in SharePoint. Follow Microsoft’s guidance to generate new keys.

4 - Isolate vulnerable servers if needed

If a server hasn’t been patched or is showing suspicious behavior, take it offline or restrict its access.

5 - Reset credentials and review access

Change service account passwords and review access. Look for newly created or suspicious admin accounts.

6 - Run threat hunts and EDR scans

Use endpoint detection tools to scan for indicators of compromise and post-exploitation activity.

7 - Check backups and logging

Make sure your logs go back to at least July 17–21 and are retained for analysis.

Final Thoughts

CVE-2025-53770 is likely one of the most critical SharePoint vulnerabilities to date. Organizations should treat this as a compromise if running on-prem SharePoint, so patching, threat hunting, and key rotations are essential steps to avoid an incident.

This exploit isn’t just a patch and move on situation. If an attacker made it in before you updated, they may still be there using stolen keys or backdoors to maintain access.

If you find anything suspicious, treat it like an incident and follow your response procedures.

To dive deeper into this threat, including daily updates and expert analysis, check out Dr. Johannes Ullrich’s writeup and podcast episode on the Internet Storm Center. His technical breakdown provides additional context and recommendations worth reviewing.