SharePoint 0Day Vulnerability Under Active Exploitation (CVE-2025-53770)
Executive Summary
Update July 21st, 2025 22:48 UTC: Microsoft has released a patch for SharePoint 2016. There are now patches available for all supported versions of SharePoint Server. We've updated our advisory accordingly.
Update July 21st, 2025 13:28 UTC: Beazley Security is aware that multiple working exploits for this exploit chain / vulnerability are now being shared publicly. While the exploitation observed over the weekend appeared to target specific sectors, we believe that ransomware groups and other threat actors are likely to begin weaponizing this vulnerability more broadly (likely within hours or days).
Organizations with internet-exposed on-premises SharePoint servers that are not patched should assume compromise. Beazley Security advises organizations to take the following immediate actions:
- Isolating affected systems
- Restoring from a known good backup from before July 18th
- Applying the latest patches for SharePoint Subscriber Edition or SharePoint 2019 (Patch for SharePoint 2016 is pending)
- Rotate cryptographic keys for View State Security using the following PowerShell cmdlet
Please note that organizations should review additional date to determine if threat actors attempted to pivot away from the SharePoint server or to exfiltrate any documents hosted on the relevant SharePoint Sites.
Update July 21st, 2025 03:05 UTC: Microsoft has provided patches for SharePoint 2019. We've updated our advisory to reflect that. At this time we're still waiting for SharePoint 2016 patches.
Update July 21st, 2025 00:56 UTC: Microsoft has provided updated guidance with details on exact versions which are vulnerable to ToolShell. Additionally, Microsoft has made updates available for SharePoint Subscription Edition and is working on updating SharePoint 2019 and SharePoint 2016.
On July 18th, the security community became aware of active exploitation of a zero-day Remote Code Execution (RCE) vulnerability dubbed “Toolshell” impacting on-premises Microsoft SharePoint Servers. On July 19th, Microsoft assigned the vulnerability CVE-2025-53770 and acknowledged active exploitation. This vulnerability and the currently deployed exploit chain enables attackers to upload malicious ASP.NET payloads to SharePoint servers. Current exploitation attempts leverage a well-crafted malicious payload designed to extract cryptographic keys from the SharePoint servers and leverage those keys to further execute unconstrained remote code on the affected systems.
This zero-day vulnerability is under active exploitation, and as of the date of this advisory, Microsoft has not yet released patches. Given the widespread use of SharePoint in enterprise environments along with the availability of exploit code, Beazley Security strongly advises implementing the mitigations detailed in this document immediately. If possible, Beazley Security also strongly recommends that organizations temporarily disconnect SharePoint servers from the internet until an official patch becomes available.
Beazley Security MDR is proactively monitoring for potential exploitation activity and conducting continuous threat hunting using both public and private Indicators of Compromise.
Affected Systems or Products
Update July 21st, 2025 22:48 UTC: Microsoft has made updates available for all versions of SharePoint Server. Please review the knowledge base links in the table below for your specific version of SharePoint Server.
Note: SharePoint Online in Microsoft 365 is NOT affected.
Mitigations / Workarounds
According to Microsoft’s official response, it’s advised to configure the Windows Antimalware Scan Interface (AMSI) to ensure that files being uploaded to SharePoint are scanned by antivirus engines installed on these SharePoint servers. Instructions to activate and configure AMSI can be found in Microsoft’s documentation.
However, there is no guarantee that antimalware scanning will detect all future malicious payloads and as such, Organizations with internet-exposed on-premises SharePoint servers that are not patched should assume compromise. Beazley Security advises organizations to take the following immediate actions:
- Isolate affected systems
- Restore from a known good backup from before July 18th
- Apply the latest patches for SharePoint Subscriber Edition or SharePoint 2019 (Patch for SharePoint 2016 is pending)
- Rotate cryptographic keys for _VIEWSTATES using the following PowerShell cmdlet
Patches
As of July 21st, 2025 Microsoft has made updates available all impacted versions of SharePoint.
Indicators of Compromise
Beazley Security is aware of several hosts actively scanning and attempting to exploit vulnerable SharePoint Servers. According to eye.security, who initially wrote about this active exploitation activity and notified Microsoft, several IPs of actors leveraging this exploit have been seen in the wild since July 18th including:
- 107.191.58[.]76
- 104.238.159[.]149
- 96.9.125[.]147
- 103.186.30[.]186
Additionally, initial access through this exploit chain requires a POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx as well as requests with a referrer of Referer: _layouts/SignOut.aspx Remote code execution is triggered by a GET request to /_layouts/15/spinstall0.aspx Previously reported compromises of SharePoint include execution of a specifically crafted ASP.NET payload with a file name of spinstall0.aspx. With a sha256 hash of 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 initially deployed to the following path on the compromised SharePoint servers: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx.
Additionally, Palo Alto’s Unit 42 shared the following SHAs:
- 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030 <-- initial hash observed by Paloalto Unit 42
- b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70
- fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7 <-- targeting the view state
Technical Details
CVE-2025-53770, referred to as “ToolShell,” is a zero-day remote code execution (RCE) exploit chain affecting on-premises Microsoft SharePoint servers. The vulnerability was first observed in active exploitation on July 18th, 2025, and combines two previously demonstrated vulnerabilities (CVE-2025-49706 and CVE-2025-49704) into a weaponized exploit chain that enables unauthenticated attackers to execute remote code on affected SharePoint servers.
The attack begins with a POST request to the following SharePoint endpoint:
/_layouts/15/ToolPane.aspx
Using a crafted Referer header (/_layouts/SignOut.aspx) to bypass authentication. This allows the attacker to upload a malicious .aspx file (such as a webshell) to the SharePoint server without valid credentials.
In the currently observed exploit chain, threat actors are not uploading a traditional webshell. Beazley Security is aware of a malicious ASP.NET payload named spinstall0.aspx being actively deployed. The current payload (dubbed SharpyShell) is a stealthy ASP.NET payload designed to extract cryptographic secrets from the compromised SharePoint servers, including the ValidationKey and DecryptionKey from the deployed SharePoint’s MachineKey configuration. These secrets are critical for signing and validating __VIEWSTATE payloads in SharePoint.
Once the attacker obtains these cryptographic keys, they can craft arbitrarily signed __VIEWSTATE payloads using tools such as ysoserial. These payloads, which are now signed with valid cryptographic keys extracted from the server, are accepted by the server as trusted input, enabling full remote code execution without authentication.
How Beazley Security is Responding
Beazley Security’s MXDR offering has several detections available to detect potential exploitation of this exploit chain targeting SharePoint including (but not limited to):
- Abuse of the Microsoft IIS worker process (W3WP.exe)
- Attempts to upload or execute webshells
- Execution of suspicious base64 encoded commands
- Files uploaded to SharePoint detected as malware
For Beazley Security Managed EDR Clients, Beazley Security will continue to monitor for suspicious activity and work with our vendor partners to confirm detection.
Beazley Security has also added reported IOCs to threat intelligence lists that will trigger specific alerts upon attempts to upload the previously seen ASP.NET payload dubbed SharpyShell.
Beazley Security MDR has actively threat hunted for potential exploitation activity using both the IOCs listed in this document and several private TLP Amber / TLP Red IOCs that cannot yet be broadly shared.
Beazley Security has notified all clients Exposure Management products when we have discovered internet exposed on-premises SharePoint servers.
Sources
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://research.eye.security/sharepoint-under-siege/
- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt
- https://x.com/codewhitesec/status/1944743478350557232
Aware of an incident impacting your industry? Let us know: