Mitigate Now
What Happened
On July 19th, 2025, Microsoft acknowledged a new, critical vulnerability in Microsoft SharePoint Server 2016, 2019, and Subscription Edition that allows an unauthorized attacker to execute code. The root cause of this vulnerability, IDed as CVE-2025-53770, has been associated with a deserialization style attack where untrusted data sent to an on-premises (on-prem) Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. This vulnerability has been observed being paired with another, CVE-2025-53771, allowing attackers access to restricted directories via path traversal exploitation.
Due to several factors such as low attack complexity, no privileges or user interaction required, and a network-based attack vector, CVE-2025-53770 has been assigned a 9.8 (critical) CVSS score. The secondary chained vulnerability, CVE-2025-53771 has been assigned a 6.5 (medium) CVSS score.
Proof of concept exploits for CVE-2025-53770 and CVE-2025-53771 are available and active exploitation in the wild has been observed by several vendors. Colloquially dubbed “ToolShell” by the security community, this exploit chains both CVE-2025-53770 and CVE-2025-53771. This exploit chaining allows a remote attacker to bypass authentication by sending a specially-crafted HTTP request to ToolPane.aspx with a Referrer header set to SignOut.aspx. Following the authentication bypass, a malicious .aspx file is uploaded to the SharePoint directory /LAYOUTS/15/. The dropped malicious file acts as a webshell for attackers and provides them with an interactive command shell to begin initiating further commands.
Additionally, some reference has been made to CVE-2025-49704 and CVE-2025-49706. These are references to previous versions of the newly-announced vulnerabilities. In this case, Microsoft has previously attempted to patch against these exploits, but workarounds have been identified, resulting in the new CVE assignments.
What That Means
A possible scenario for exploitation would look something like this:
- Global, internet-wide scans for publicly-accessible SharePoint identifies a vulnerable server.
- Attackers are alerted to its presence and begin attempting exploitation with PoC code.
- Authentication is bypassed, a malicious webshell is dropped, and the attacker gains access to begin their reconnaissance, lateral movement, and persistence tactics.
In many cases, the internet-wide scanning for vulnerable versions and exploitation steps are automated and provide attackers even faster access.
There is a high level of concern for this vulnerability, in particular amongst the security community, simply due to the ease of exploitation and publicly-available Proof-of-Concept code. By default, Microsoft SharePoint Server 2016, 2019, and Subscription Editions are not configured to be publicly-accessible but can be manually configured this way, intentionally or otherwise.
How to Identify and What to Do
For clarity, this vulnerability ONLY affects on-prem versions of Microsoft SharePoint Server. Microsoft confirmed that SharePoint Online in Microsoft 365 is not impacted.
In terms of impact this vulnerability has on affected versions of SharePoint, this is a critical priority vulnerability that should be patched as soon as possible. If you are an organization running a vulnerable version of on-prem SharePoint, you should strongly consider out-of-band patching to address the ToolShell exploit.
How to identify
Due to the low complexity and amount of notoriety this vulnerability is getting, if you are running a vulnerable version of on-prem SharePoint, you should check for the following Indicators of Compromise:
- Unusual/Unexpected files in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\xxx.aspx
- spinstall0.aspx
- SHA-1 f5b60a8ead96703080e73a1f79c3e70ff44df271
- SHA-1 c06ffcd6b18b1dca51b58d07da1dc89605e31de3
- xxx.aspx
- SHA-1 fe3a3042890c1f11361368aeb2cc12647a6fdae1
- App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll
- SHA-1 76746b48a78a3828b64924f4aedca2e4c49b6735
- test.txt
- SHA-1 950aa10a81ba10b955c67be49af80e91190a9231
- qlj22mpc.dll
- SHA-1 7f21382d6f09cb2336255b9484013c756a7d9282
- Network Connections to or from known attacker IPs
- 96.9.125[.]147
- 107.191.58[.]76
- 104.238.159[.]149
If you suspect or can confirm your server has been compromised, you must also rotate your ASP.NET machine keys. These keys have been targeted and stolen in several confirmed incidents. Failure to rotate them may allow an attacker to forge authentication tokens and re-compromise the host, even after patching and account resets.
What to Do
If you have on-prem Microsoft SharePoint Server running 2016, 2019, or Subscription Edition versions, you should patch immediately. Considering the criticality of this vulnerability, it is advised to perform out-of-band patching and not wait for a regular patch cycle.
No action is required if you are using Microsoft 365-based SharePoint Online versions, as these are not impacted.
At this time, there are no official workarounds. Patching is the only guaranteed mitigation. If you are absolutely unable to patch, consider temporarily disabling public access to your on-prem SharePoint servers. Some WAF rules may also be able to provide additional protection. As an additional mitigation step, Microsoft has recommended enabling Antimalware Scan Interface (AMSI).
Who’s Impacted
- On premises deployments of Microsoft SharePoint Server 2016, 2019, and Subscription Edition
When Will Microsoft Fix It
As of July 20th, 2025, Microsoft has released emergency patches to address CVE-2025-53770 and CVE-2025-53771.
Some additional items of note from Microsoft’s documentation in regards to patching these vulnerabilities:
Are the two new CVEs that were released related to the two SharePoint vulnerabilities that were documented by CVE-2025-49704 and CVE-2025-49706?
Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.
There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.
How Blumira Can Help
For Blumira customers, two default-enabled Blumira detections would catch the webshell activity specific to the exploits mentioned in this article:
- Webshells by File Write
- Potential IIS Webshell Activity
Additionally, we are working to see what other detection opportunities exist based on the tactics, techniques, and procedures we’ve observed related to these CVEs and will be sure to update this post as new detections are created and released.
