REQUEST A DEMO
CVE-2024-48248 Exposes NAKIVO Backup Credentials
July 14, 2025
CVE-2025-24472: Critical Authentication Bypass in Fortinet Products
July 24, 2025

Critical SharePoint Vulnerability (CVE-2025-53770)

by CyRisk

We are issuing an urgent alert regarding a critical and actively exploited vulnerability, identified as CVE-2025-53770, affecting on-premises Microsoft SharePoint Servers. Download Bulletin

Why This Matters

This vulnerability allows unauthorized remote code execution on unpatched SharePoint servers—no authentication required. Attackers can:

  • Gain full control over SharePoint servers
  • Bypass Multi-Factor Authentication (MFA) and Single Sign-On (SSO)
  • Access all SharePoint content and internal configurations
  • Exfiltrate cryptographic keys
  • Persist even after patching is applied

Note: SharePoint Online in Microsoft 365 is not impacted.

Need Help?

Click here to schedule a call with our security team

Technical Overview

Background

  • CVE-2025-53770 is a deserialization of untrusted data vulnerability in on-prem SharePoint.
  • It is a variant of CVE-2025-49704 and part of the ToolShell exploit chain (includes CVE-2025-53771).
  • Exploit uses the HTTP Referer header (/_layouts/SignOut.aspx) to bypass auth and interact with ToolPane.aspx.
  • The exploit drops spinstall0.aspx, which leaks cryptographic secrets like the ValidationKey.
  • Once the ValidationKey is exposed, attackers can sign VIEWSTATE payloads and remotely execute commands without credentials.

Detection Methods

Microsoft Defender Alerts

  • Detection Names:
    • Exploit:Script/SuspSignoutReq.A
    • Trojan:Win32/HijackSharePointServer.A
  • Alert Titles:
    • Possible web shell installation
    • Exploitation of SharePoint server vulnerabilities
    • Suspicious IIS worker process behavior
    • Malware blocked on SharePoint server

Vulnerability Management

  • Use Microsoft Defender Vulnerability Management (MDVM) to:
    • Filter for CVE-2025-53770 and CVE-2025-53771
    • View exposed devices, patch status, and evidence of exploitation

Advanced Hunting Queries (Microsoft 365 Defender)

Query for vulnerable software:

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49706", "CVE-2025-53770")

Query for creation of spinstall0.aspx:

DeviceFileEvents
| where FolderPath has_any ("LAYOUTS")
| where FileName has "spinstall0"

Query for PowerShell execution via w3wp.exe:

DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
| where ProcessCommandLine has_any ("EncodedCommand", "-ec")
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"

Indicators of Compromise (IOCs)

Malicious Files

Look for any of the following:

  • spinstall0.aspx, spinstall1.aspx, etc.
  • Locations:
    • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\
    • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\
  • SHA256 Hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

Suspicious Web Activity

  • HTTP POST to /ToolPane.aspx?DisplayMode=Edit
  • Referer: /_layouts/SignOut.aspx
  • User-Agent: Firefox/120.0 or encoded variants

Known Malicious IPs

Scan logs for connections to/from these IPs between July 18–21, 2025:

  • 107.191.58.76
  • 104.238.159.149
  • 96.9.125.147
  • 45.191.66.77
  • 45.77.155.170
  • 64.176.50.109
  • 206.166.251.228
  • 34.72.225.196
  • 34.121.207.116
  • 141.164.60.10
  • 134.199.202.205
  • 188.130.206.168
  • Post-exploit C2: 131.226.2.6

Immediate Response Recommendations

  1. Isolate or shut down affected servers immediately
  2. Reset credentials and secrets that may have been exposed
  3. Engage incident response experts ASAP
  4. Disconnect unsupported SharePoint versions (e.g., SharePoint 2013) from the internet

Patching & Remediation

Apply Latest Security Updates

  • SharePoint Server Subscription Edition: KB5002768
  • SharePoint Server 2019: KB5002754 and KB5002753
  • SharePoint Server 2016: KB5002760 and KB5002759

Patches are cumulative; the latest includes previous fixes.

Rotate ASP.NET Machine Keys

Patching alone does not revoke leaked keys.

Run the following PowerShell commands:

Set-SPMachineKey -WebApplication <YourWebApp>
Update-SPMachineKey -WebApplication <YourWebApp>

Use caution when applying across load-balanced or clustered environments.

Additional Mitigations

  • Deploy Microsoft Defender for Endpoint or equivalent EDR
  • Enable AMSI (Antimalware Scan Interface)
    • Enable Full Mode HTTP scanning if available
    • Defender Antivirus is required to block unauthenticated exploitation
  • Ensure your SharePoint version has AMSI enabled (available from Sep 2023 updates onward)
  • If AMSI cannot be enabled:
    • Disconnect the server from the internet, or
    • Place it behind an authenticated proxy or VPN
  • Update WAF/IPS rules to detect exploit patterns
  • Review and reduce layout/admin privileges
  • Enable logging and auditing across SharePoint services

For further guidance or assistance addressing this vulnerability, schedule a call with our security team.

Leave a Reply

Critical SharePoint Vulnerability (CVE-2025-53770)

July 22, 2025 by Kevin Lackey

Critical Unauthenticated RCE in React Server Components (React2Shell, CVE-2025-55182)

December 10, 2025 by Kevin Lackey

    Discover more from CyRisk

    Subscribe now to keep reading and get access to the full archive.

    Continue reading