New Zero-Day in SharePoint (CVE-2025-53770): Update Now!

A new critical zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, is actively being exploited in targeted attacks. And yes, it’s as serious as it sounds.

Attackers are managing to execute malicious code remotely, without the need for authentication, and even worse: they are maintaining persistent access to affected systems using stolen cryptographic keys.

This new exploit comes shortly after the disclosure of ToolShell, an exploit chain that combined two previous SharePoint flaws to allow unauthenticated remote access. Now, with CVE-2025-53770 also in play and being exploited in a similar fashion, concern is rapidly growing among organizations still using on-premises SharePoint environments—especially those exposed to the internet.

If you have on-premises SharePoint instances, and especially if they are accessible from outside your network (internet-facing), this is a threat you cannot ignore. In this article, we’ll explain what’s going on with CVE-2025-53770, how it relates to other recent vulnerabilities, and what you can do to protect yourself. Spoiler: Microsoft has already released emergency patches to fix this vulnerability and mitigate the risks.

What is CVE-2025-53770 and Why Is It So Dangerous?

CVE-2025-53770 is a remote code execution (RCE) vulnerability with a CVSS score of 9.8, placing it in the category of the most critical flaws.

The issue lies in how SharePoint handles certain data: it involves insecure deserialization of untrusted inputs. Simply put, this allows an attacker to send specially crafted data to force the system to execute malicious commands—and most concerning of all, they don’t even need to be authenticated to do it.

This flaw is related to a previous issue that Microsoft attempted to fix in its July 2025 Patch Tuesday. But as is often the case with more sophisticated threats, attackers found ways to continue exploiting it.

CVE-2025-53770 is, in fact, a more advanced and dangerous version of the original problem. In response, Microsoft has released a second patch, now with stricter security measures to finally shut this backdoor.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially acknowledged the threat—so much so that it added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog.

Moreover, it has mandated that all federal agencies apply the relevant patch by July 21, 2025. CISA is also working closely with Microsoft to identify affected organizations and alert them directly.

CVE-2025-53771: Another SharePoint-Related Vulnerability

In addition to the severe remote code execution flaw, Microsoft has also disclosed another SharePoint-related vulnerability: CVE-2025-53771. This time, it’s a spoofing vulnerability with a CVSS score of 6.3.

While not as critical as CVE-2025-53770, it’s still a concern. The issue stems from improper handling of path names within the system, which can allow attackers to manipulate access paths to impersonate other users or perform unauthorized actions.

How Are Attackers Exploiting the CVE-2025-53770 Vulnerability?

Since the first reports of real-world attacks exploiting CVE-2025-53770 emerged, security experts have observed patterns that strongly resemble previous campaigns.

One of the most well-known was called ToolShell, an exploit chain that combined two other SharePoint flaws:

1. CVE-2025-49706 (authentication bypass)

2. CVE-2025-49704 (code injection)

Together, they allowed attackers to execute malicious code on SharePoint servers without authentication. Now, CVE-2025-53770 appears to follow a very similar path.

It all starts with a malicious input sent to the system, exploiting insecure deserialization. From there, attackers can extract the server’s internal cryptographic keys, specifically the ASP.NET MachineKeys, which include:

1. ValidationKey

2. DecryptionKey

With these keys in hand, attackers can craft forged payloads using the internal structure of __VIEWSTATE. SharePoint, unable to distinguish whether these payloads are legitimate, accepts them without question.

The result? The attacker maintains access to the system, executes arbitrary commands, and does so without raising suspicion.

Read more: What is patch management?

How Are CVE-2025-53770 and CVE-2025-53771 Related to Other SharePoint Flaws?

Although CVE-2025-53770 and CVE-2025-53771 are newly discovered vulnerabilities, they didn’t come out of nowhere. According to Microsoft, both are closely related to two previous SharePoint flaws: CVE-2025-49704 and CVE-2025-49706. When combined, these form what is known as the ToolShell exploit chain—an advanced technique attackers are actively using to execute malicious code in vulnerable environments.

What Is ToolShell?

ToolShell is the name given to an exploit chain discovered by researcher Khoa Dinh, who identified how to combine two critical SharePoint vulnerabilities to carry out a complete, unauthenticated attack.

Both flaws were originally discovered during the Pwn2Own Berlin competition, a well-known event for revealing high-impact vulnerabilities. Here's a simplified explanation of each:

1. CVE-2025-49706 (CVSS 6.5): An authentication bypass in SharePoint's ToolPane.aspx endpoint. The attacker can manipulate the HTTP Referer header to access protected resources without logging in.

2. CVE-2025-49704 (CVSS 8.8): A code injection vulnerability that allows an attacker with a site owner role to execute arbitrary code. It stems from poor input validation in certain SharePoint functions.

What Can Attackers Achieve with ToolShell?

When these two flaws are chained correctly, an attacker can:

1. Bypass all authentication controls

2. Extract the server’s cryptographic keys (such as ValidationKey and DecryptionKey)

3. Sign malicious payloads that SharePoint interprets as legitimate

4. Execute code with privileges inside the system’s trusted environment

Alarmingly, all of this can be achieved with a single well-crafted request. That’s why ToolShell has been classified as one of the most concerning exploit chains for SharePoint in recent years.

What Do CVE-2025-53770 and CVE-2025-53771 Have to Do with This?

The new vulnerabilities CVE-2025-53770 and CVE-2025-53771 follow a very similar logic. In fact, it’s believed they may be evolving from the same internal weaknesses in SharePoint that made ToolShell possible.

1. CVE-2025-53770 exploits the system via malicious data deserialization, allowing attackers to extract MachineKeys from the server and forge payloads in __VIEWSTATE.

2. CVE-2025-53771, though less critical, relates to how SharePoint handles path names, potentially enabling impersonation and privilege escalation.

Together, these vulnerabilities show that attackers are refining their methods—leveraging old weaknesses and adapting them with new techniques.

Which Systems Are at Risk from CVE-2025-53770?

These vulnerabilities affect only on-premises versions of SharePoint. If you're using SharePoint in the cloud (Microsoft 365/SharePoint Online), you can breathe a bit easier—those environments use different authentication and serialization mechanisms that block this type of attack.

Affected Versions:

1. SharePoint Server 2016 (versions prior to patch KB5002744)

2. SharePoint Server 2019 (prior to KB5002741)

3. SharePoint Server – Subscription Edition (prior to version 16.0.18526.20424)

How Many SharePoint Servers Are Exposed to the Internet?

According to a recent analysis on Shodan, the search engine for internet-connected devices, over 16,000 SharePoint servers are publicly exposed worldwide. That means anyone—including potential attackers—can detect and scan them from the internet.

Countries with the Most Exposed Servers:

1. United States: 3,960 servers

2. Iran: 2,488

3. Malaysia: 1,445

4. Netherlands: 759

5. Ireland: 645

Although not all of these servers are at immediate risk, their public visibility makes them potential targets for automated or targeted attacks—especially if they are not up to date or properly secured.

Microsoft SharePoint Results on Shodan

How Effective Are These Updates?

According to Microsoft, the new patches provide significant security improvements compared to previous updates:

“The update for CVE-2025-53770 includes stronger protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes stronger protections than the update for CVE-2025-49706,” they explained in their official bulletin.

In short: yes, it’s absolutely worth applying them as soon as possible.

Read more: What is Third-Party Patch Management?

What to Do After Installing the Patches

Microsoft recommends immediately rotating SharePoint’s machine keys to eliminate any chance of persistence by malicious actors who may have previously gained access. You can do this in two ways:

Option 1: Using PowerShell

Run the following command on the SharePoint server: Update-SPMachineKey

Option 2: Through Central Administration

1. Go to the Central Administration site.

2. Navigate to: Monitoring → Review job definitions

3. Look for the job called "Machine Key Rotation" and click "Run Now"

4. Once the process is complete, restart IIS on all servers by running:
   iisreset.exe

How to Tell If Your Server Has Already Been Attacked

Microsoft has also shared specific indicators that may suggest your SharePoint environment has been compromised.

Indicators of Possible Exploitation:

1. A file has been created at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx
   
   
2. IIS logs show a suspicious POST request to the following endpoint: /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx. with the Referer header pointing to: /layouts/SignOut.aspx.