Summary : Security Advisory

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM	Microsoft
Severity	Critical
CVSS Score	9.8
CVEs	CVE-2025-53770, CVE-2025-53771
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
SharePoint Server Remote Code	CVE-2025-53770	SharePoint Server (on-prem)	Critical	9.8
Execution Vulnerability	CVE-2025-53771	SharePoint Server (on-prem)	Medium	6.3

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-53770	SharePoint 2016, 2019	Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads	Remote Code Execution, full system compromise
CVE-2025-53771	SharePoint 2016, 2019	Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques	Persistent access without credentials

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

1. Apply Security Updates: 

• SharePoint Server 2019: KB5002741 

• SharePoint Server 2016: KB5002744 

• SharePoint Subscription Edition: KB5002768 

2. Enable AMSI Protection: 

• Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 

• AMSI was turned on by default in Sept 2023 updates for 2016/2019. 

3. Rotate Cryptographic Keys: 

• Use Update-SPMachineKey (PowerShell) or Central Admin. 

• Restart IIS using iisreset.exe after key rotation. 

4. Deploy Endpoint Protection: 

• Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type	Value (Obfuscated/Generalized)	Description
IP Address	107.191.58[.]76, 104.238.159[.]149	Observed in initial and second attack waves
User-Agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0	User-Agent string seen in exploitation requests
URL Path	POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx	Exploit entry point targeting ToolPane

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References: 

• https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ 

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771 

• https://thecyberexpress.com/zero-day-vulnerability-microsoft-sharepoint/ 

• https://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/