SharePoint Vulnerabilities CVE-2025-53770 and CVE-2025-53771

Published: Tue 22 July 2025

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

This bulletin addresses the large-scale exploitation of two recently disclosed zero-day vulnerabilities, the Critical Severity Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770) and the Medium Severity Microsoft SharePoint Server Spoofing Vulnerability (CVE-2025-53771) affecting on-premises deployments of Microsoft SharePoint servers. These vulnerabilities have been observed to be actively and widely exploited in the wild, successful exploitation could allow threat actors to remotely execute arbitrary code resulting in the exfiltration of sensitive data and persistent access.

Vulnerability details

On July 19 2025, the research team at Eye Security released a blog detailing their discovery of large-scale exploitation of two new zero-day flaws in SharePoint servers. Microsoft and affected organisations were notified.

On July 19 2025, Microsoft Security Response Center (MSRC) released advisories for both vulnerabilities in addition to the Customer guidance for SharePoint vulnerability CVE-2025-53770 blog post to disclose the information. This blog was updated over the next three days with remediation and detection guidance.

On July 20 2025, the Australian Cyber Security Centre (ACSC) issued an advisory related to CVE-2025-53770 advising organisations to review their networks for vulnerable instances and to consult the Microsoft customer advisory for mitigation advice.

The vulnerabilities affect the following Microsoft Products:

Microsoft SharePoint Server Subscription Edition (Patch is available)

Microsoft SharePoint Server 2019 (Patch is available)

Microsoft SharePoint Enterprise Server 2016 (Patch is NOT YET available)

Please note: SharePoint Online through Microsoft 365 is not impacted by this vulnerability. 

Impact

Successful exploitation allows threat actors to execute code remotely and bypass identity protections such as MFA or SSO exposing all SharePoint content, system files, and configurations and allowing lateral movement across the Windows Domain and retaining persistent access.

Mitigation actions

Microsoft's Customer guidance for SharePoint vulnerability CVE-2025-53770 should be referred to for details and checked regularly for updates. 

Patches should be applied as a priority as soon as available, or the affected server should be disconnected from the internet until a patch is available and can be applied.

Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus. If AMSI cannot be enabled, it is recommended to disconnect the server from the internet until the security update is available.

An Endpoint Detection and Response (EDR) solution such as Defender for Endpoint should be deployed to detect and block post-exploit activity.

After the security patches are applied and AMSI enabled, it is critical to rotate the SharePoint server ASP.NET machine keys and restart the Internet Information Services (IIS) in order to invalidate any tokens potentially created by a threat actor.

Detection capabilities

Customers who believe they may be affected are advised to verify their current version of SharePoint server and apply any necessary updates and/or other mitigations as outlined above.

The following Indicators of Compromise (IOC) have been observed by Eye Security and should be utilised to investigate if exploitation is suspected:

• 107.191.58[.]76 – first successful exploit wave US-based source IP responsible for active exploitation on 18th of July around 18:06 UTC deploying spinstall0.aspx
• 104.238.159[.]149 – second exploit wave US-based source IP responsible for active exploitation on 19th of July around 07:28 UTC
• 96.9.125[.]147 – shared by PaloAlto Unit42, initial (testing) exploit wave US-based source IP responsible for active exploitation (probably) on 17th of July around 12:51 UTC, but it not succeeded at our customer for some reason
• 45.77.155[.]170 – third exploit wave US-based source IP responsible for active exploitation on 21th of July around 19:03 UTC
• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 – user agent string used in active exploitation on 18th & 19th of July
• Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 – URL-encoded user agent string for IIS log searches
• /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx – POST path used to trigger exploit and push Sharpyshell related to CVE-2025-49706 and/or CVE-2025-53770
• Referer: /_layouts/SignOut.aspx – exact HTTP header used in exploiting ToolPane.aspx inside POST request related to CVE-2025-53770
• GET request to malicious ASPX file in /_layouts/15/spinstall0.aspx – aspx crypto dumper used by CVE-2021-28474 with tool ysoserial to get RCE on SharePoint
• 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 – SHA256 hash of spinstall0.aspx crypto dumper probably created with Sharpyshell
• C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx – location of the malicious aspx file on Windows Servers running SharePoint

Triskele Labs customers leveraging our Vulnerability Scanning and Monitor (24×7 SIEM) or MDR services are being proactively assessed and monitored for IoC and signs of lateral movement.  

References

• https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/vulnerability-microsoft-office-sharepoint-server-products
• https://research.eye.security/sharepoint-under-siege/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771