CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint

July 23, 2025

CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint

Over the past weekend, a large-scale wave of unauthenticated remote code execution (RCE) attacks, known as ToolShell, began targeting on-premises Microsoft SharePoint servers around the world. This is a real, fast-moving campaign that takes advantage of two newly disclosed vulnerabilities: CVE-2025-53770 and CVE-2025-53771.

These flaws exploit a deserialization bug in ASP.NET, giving attackers full remote access to SharePoint servers without requiring credentials or user interaction.

No usernames. No phishing. No malware. Just a single HTTP request sent to an exposed SharePoint endpoint.

Here’s what security teams need to understand, and how the Vectra AI Platform can help stop these attacks before they spread.

What’s Happening: The 3 Most Important Things to Know

1. Exploitation Is Active and Ongoing

Attackers are using a weaponized exploit chain called ToolShell to compromise on-prem SharePoint 2016, 2019, and Subscription Edition servers. The chain combines two flaws that allow remote code execution without authentication. The initial entry requires only a crafted POST request.

In short: Hackers can fully compromise your SharePoint server without logging in. And they are already doing it.

2. The Exploit Provides Long-Term, Stealthy Access

Once inside, attackers upload a small webshell (spinstall0.aspx) to extract the server’s cryptographic keys: the ValidationKey and DecryptionKey. With those, they can forge trusted tokens (__VIEWSTATE) and execute commands over and over — even if you change passwords or patch later.

In short: Once inside, attackers can create trusted access so they can come and go undetected, even after you think you’ve fixed the problem.

3. The Campaign Is Global and Accelerating

Eye Security and other researchers have confirmed mass scanning and widespread compromise. Over 85 organizations have already been impacted. Public tools and IP lists are circulating, with more than 9,300 SharePoint servers identified as exposed to the internet..

In short: The tools to exploit this are public, the targets are known, and your SharePoint server could be next.

Why Attackers Love CVE-2025-53770

No login required: The attack works without credentials or phishing.
Complete server control: Full access to SharePoint data, system files, and configurations.
Lateral movement potential: Pivot into Exchange, OneDrive, Teams, and Active Directory.
Cryptographic key theft: Stolen MachineKeys enable long-term backdoor access.
Hard to detect: The exploit mimics legitimate SharePoint traffic and activity.

Anatomy of the ToolShell Exploit

Malicious HTTP Request Step 1

Attacker sends a crafted POST to /_layouts/15/ToolPane.aspx with a forged Referer: /SignOut.aspx.
Authentication Bypass Step 2

Server skips proper Referer validation, granting unauthenticated access to upload functionality.
Webshell Uploaded Step 3

A stealthy spinstall0.aspx is dropped, designed to dump cryptographic keys, not open an interactive shell.
Stealing Machine Keys Step 4

The webshell invokes .NET internals to extract ValidationKey and DecryptionKey from memory.
Crafting ViewState Tokens Step 5

Attacker uses stolen keys with ysoserial to generate valid, signed __VIEWSTATE payloads.
Remote Code Execution Step 6

Malicious payload delivered to any page (e.g., success.aspx), executing commands silently.
Persistence & Lateral Movement Step 7

Backdoors are installed, services are scanned, and the attacker moves laterally across the domain.

What Attackers Can Do Next After Exploiting CVE-2025-53770 and CVE-2025-53771

Exploiting ToolShell is not the end of the attack. It is the beginning of a deeper compromise. Once a server is breached, attackers can:

1. Forge Trusted Tokens

With stolen MachineKeys, attackers generate valid __VIEWSTATE payloads to execute malicious commands repeatedly and silently.

In short: They create fake, trusted activity that bypasses normal controls.

2. Establish Backdoors

They often deploy additional webshells, alter SharePoint components, or modify configurations to maintain persistence through reboots and patches.

In short: They hide their access so even future cleanups may not remove them.

3. Move Laterally Across the Environment

Attackers use compromised credentials and tokens to access other systems and escalate privileges across the network. They can move laterally through your data center, campus network, remote workforce, identity infrastructure, cloud services, and even IoT/OT systems. From there, they often target Microsoft 365 services (Office, Teams, OneDrive, and Outlook) to steal documents, communications, credentials, and other high-value data.

In short: They use SharePoint as a launchpad to compromise your entire environment.

4. Abuse Microsoft Copilot for Reconnaissance

If Copilot for SharePoint is enabled, attackers can use it to summarize documents, extract sensitive content, and map internal structures using prompt engineering.

In short: They use your own AI tools to find what matters most, faster.

5. Steal or Ransom Data

With full access to SharePoint content, emails, and internal documents, attackers can exfiltrate sensitive information or deploy ransomware.

In short: They turn your data into leverage and profit.

How Vectra AI Helps

Attacks like ToolShell don’t rely on stolen credentials, malware, or user interaction. They exploit logic flaws in trusted applications, bypassing identity, endpoint, and perimeter by design. And that’s why most traditional defenses never see them coming.

Vectra AI already provides detection coverage for both the original ToolShell exploit chain (CVE‑2025‑49704) and its newer variant, CVE‑2025‑53771 for customers leveraging Vectra Match with proper sensor visibility. These detections identify exploitation attempts based on the shared deserialization logic and endpoint abuse used in the attack chain. Our Engineering team is actively expanding coverage for additional exploit variants, including CVE‑2025‑53770, ensuring protection evolves as the threat does.

Beyond detection, the Vectra AI Platform enables your SOC to investigate with speed and precision. It correlates attacker behaviors across SharePoint, identity systems, and cloud services – highlighting everything from webshell deployment to PowerShell execution and lateral movement.

Combined with integrations with your SIEM, SOAR and EDR stack, Vectra AI supports rapid, confident response before attackers can escalate.

Ready for the Next Variant?

Whether attackers tweak the Referer, change the file name, or pivot to a new zero-day, Vectra AI’s approach doesn’t rely on static IOCs or signatures. It uses machine learning models built to detect abuse of protocols, behavior, and privilege - no matter how it’s packaged.

Vectra AI doesn’t see just the breach. It helps you understand it, contain it, and stay ahead of what comes next.

If you’re running on-premises SharePoint, you can’t afford to rely on perimeter tools alone.

Vectra AI closes the visibility gap where others fall short:

Watch a self-guided demo to see how Vectra detects and stops attacks like ToolShell before they turn into full-blown breaches.
‍Read our VP of Product Mark Wojtasiak’s take on why Vectra AI stands tall in The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR)
‍Learn more about why Vectra AI is a leader and outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR)
‍Close Microsoft Threat Detection, Investigation, Response Gaps with Vectra AI