In mid‑July 2025, Microsoft disclosed a serious zero‑day vulnerability, CVE‑2025‑53770, affecting on‑premises SharePoint Server installations. This flaw enables unauthenticated remote code execution (RCE) via unsafe deserialization of data, and carries a critical CVSS score of 9.8.
🛠 The Attack Chain: ToolShell Exploit
Dubbed “ToolShell,” the exploit combines CVE‑2025‑53770 with a related bypass vulnerability CVE‑2025‑53771, which abuses SharePoint’s Referrer header logic to skip authentication checks. The chain works as follows:
- Authentication bypass via crafted POST to
/layouts/15/ToolPane.aspx(CVE‑53771). - RCE execution, exploiting deserialization bug (CVE‑53770) to run arbitrary code.
- Key theft: attackers extract cryptographic Machine Keys (ValidationKey/DecryptionKey), enabling long‑term persistence through forged payloads and web shells.
🌍 Scope and Impact
- Initially discovered affecting ~75 servers, the victim count expanded to ~400 organizations, including U.S. federal agencies like the National Nuclear Security Administration and universities, as well as organizations in Europe and the Middle East.
- Security firms estimate thousands of vulnerable SharePoint services remain exposed on the internet; some estimate up to 9,000 services at risk.
- Microsoft attributes the attacks to China-linked advanced persistent threat groups such as Storm‑2603, Linen Typhoon, and Violet Typhoon.
- Although SharePoint Online in Microsoft 365 was not impacted, on-prem customers faced serious compromise.
- Following compromise, adversaries deployed ransomware (e.g. Warlock) and stole machine keys to maintain access post‑patching.
🧯 Response and Mitigation
- Microsoft issued emergency patches on July 20 for SharePoint Server Subscription Edition and SharePoint 2019 (fully fixing both CVE‑53770 & CVE‑53771). Updates for SharePoint 2016 followed afterward.
- CISA (U.S. Cybersecurity and Infrastructure Security Agency) added CVE‑53770 to its Known Exploited Vulnerabilities (KEV) catalog on July 20, mandating immediate remediation for federal agencies.
- Security providers like AttackIQ released emulation frameworks to test detection and response to ToolShell TTPs, detailing malicious behaviors like PowerShell encoded commands, scheduled task persistence, credential dumping, lateral movement, and payload delivery.
- Third‑party tools, such as Cloudflare WAF, implemented emergency rule sets to block known exploit traffic in real‑time.
- Industry guidance recommends:
- Applying latest SharePoint patches immediately.
- Disconnecting on‑prem servers from internet until fully hardened.
- Rotating Machine Keys and other cryptographic materials post‑compromise.
- Enabling logging, performing threat hunts for web shells, and using AMSI integration with antivirus tools.
- Deploying Zero‑Trust Network Access (ZTNA), segmented access via VPNs, and strong endpoint protection.
🔍 Why This Matters
- The incident underlines the ongoing risk posed by legacy on‑prem installations even in a cloud‑centric era.
- The exploit chain reused and subverted previously patched code, highlighting how attackers reverse-engineer patches to force new vulnerabilities.
- The combination of espionage and ransomware tactics, using stolen keys to maintain access even after remediation, indicates a prolonged and damaging threat posture.
✅ Key Takeaways
| Action | Recommendation |
|---|---|
| Patch Immediately | Install emergency updates for SharePoint 2019, Subscription Edition, and 2016. |
| Assume Compromise | If exposed online, assume your servers are breached; investigate with incident response teams. |
| Rotate Keys | Change validation/decryption keys to invalidate stolen tokens. |
| Monitor and Hunt | Search for web shells, anomalous scheduled tasks, abuse of ToolPane.aspx. |
| Strengthen Defense | Use AMSI, strong EDR, WAF rules, and network segmentation. |
This incident is a stark reminder that on‑premises systems remain critical attack vectors, especially when patches are incomplete or vulnerabilities are weaponized rapidly.
