SEC504: Hacker Tools, Techniques, and Incident Handling

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsCVE-2025-53770 is likely one of the most critical SharePoint vulnerabilities to date.
On Sunday, July 20, Microsoft alerted customers to an actively exploited critical zero-day vulnerability, CVE-2025-53770, affecting SharePoint servers. SharePoint Server 2016, 2019, and the Subscription editions are all susceptible, while SharePoint Online is not affected. Any organizations running on-prem SharePoint are advised to act immediately.
Authentication is entirely bypassed by spoofing the Referer header, allowing attackers to upload files, including a web shell. In some cases, researchers are seeing .Net machine keys being stolen so attackers can maintain access even after patching.
Microsoft issued an emergency patch for SharePoint 2019 on July 20. Microsoft released the patch for SharePoint 2016 July 22. Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, a SANS Faculty Fellow, highly recommends that SharePoint users, especially those still on 2016 move from on-prem SharePoint to SharePoint Online.
If you haven’t already patched, rotated your keys, and checked for signs of compromise, now is the time to prioritize it.
The vulnerability originated from bypassing mitigations for two previously patched bugs, CVE-2025-49704 and CVE-2025-49706. Microsoft has since issued new CVE numbers for the vulnerabilities and is now tracking as CVE-2025-53770 for the remaining deserialization vulnerability and CVE-2025-53771 for the authentication bypass issue. Combining these two flaws enables unauthenticated remote code execution. Microsoft issued a patch for the initial two CVEs, but a bypass was quickly discovered, resulting in an exploit that requires no user interaction and provides full control over a targeted server.
At the center of the exploit is the ToolPane.aspx endpoint. Attackers found it can be tricked into processing unauthorized requests by sending a spoofed Referer header claiming they’re coming from SharePoint’s logout page, SignOut.aspx. Surprisingly, this is enough to fool SharePoint into believing the request is legitimate and skipping login and authentication.
The attacker then uploads a web shell that gives full access to run commands, download files, and traverse to other systems.
To make things worse, attackers go further by stealing the server’s Machine Keys. These keys are used to encrypt the ViewState. Even after a server is patched, an attacker may use these Machine Keys to create a fake ViewState that can be used to compromise the system. After patching, removing any files prior attacks left behind, and deploying an endpoint protection suite like Defender, the administrator MUST rotate the Machine Key, or the system could be compromised again.
This exploit presents a serious threat for any organization running a vulnerably SharePoint server:
The most common exploit seen so far is uploading a web shell. That gives attackers persistent access to execute arbitrary code, even without going through the vulnerability again. Even if the patch is applied, those web shells will remain.
This exploit opens the door to broader risks. Once in SharePoint, attackers may be able to pivot to other systems, publish malicious documents, or even launch ransomware campaigns.
If you’re running an on-prem SharePoint Server and haven’t already addressed this zero-day, you should assume your system is compromised. The exploit leaves behind specific clues and is already being used in mass attacks. Here's how to detect it and what to do next.
Review your SharePoint logs and endpoint or SIEM alerts. Key indicators to look for include:
107.191.58.76
104.238.159.149
96.9.125.147
Whether or not you’ve found signs of compromise, here are steps every on-prem SharePoint admin should take:
1 - Apply Microsoft’s latest security updates
Emergency patches are available for SharePoint Server Subscription Edition and 2019. A patch for SharePoint 2016 is still pending.
2 - Enable AMSI and update antivirus
Make sure SharePoint’s Antimalware Scan Interface (AMSI) is on and that you're running Microsoft Defender or another anti-virus.
3 - Rotate your machine keys
If attackers stole your server’s ValidationKey and DecryptionKey, they could keep getting in even after you patch. These machine keys are used to sign and encrypt the ViewState in SharePoint. Follow Microsoft’s guidance to generate new keys.
4 - Isolate vulnerable servers if needed
If a server hasn’t been patched or is showing suspicious behavior, take it offline or restrict its access.
5 - Reset credentials and review access
Change service account passwords and review access. Look for newly created or suspicious admin accounts.
6 - Run threat hunts and EDR scans
Use endpoint detection tools to scan for indicators of compromise and post-exploitation activity.
7 - Check backups and logging
Make sure your logs go back to at least July 17–21 and are retained for analysis.
CVE-2025-53770 is likely one of the most critical SharePoint vulnerabilities to date. Organizations should treat this as a compromise if running on-prem SharePoint, so patching, threat hunting, and key rotations are essential steps to avoid an incident.
This exploit isn’t just a patch and move on situation. If an attacker made it in before you updated, they may still be there using stolen keys or backdoors to maintain access.
If you find anything suspicious, treat it like an incident and follow your response procedures.
To dive deeper into this threat, including daily updates and expert analysis, check out Dr. Johannes Ullrich’s writeup and podcast episode on the Internet Storm Center. His technical breakdown provides additional context and recommendations worth reviewing.
Dr. Johannes Ullrich is the Dean of Research for SANS Technology Institute, a SANS Faculty Fellow, and founder of the Internet Storm Center (DShield.org) which provides a free analysis and warning service to thousands of Internet users and organizations.
Read more about Dr. Johannes Ullrich