Threat Briefing: CVE-2025-53770 “ToolShell” – Active SharePoint Zero Day

O365 SharePoint online is unaffected, this only applies to SharePoint 2013+ on premise.

What’s Happening

Vulnerability: A critical (CVSS 9.8) deserialization flaw in on-premises Microsoft SharePoint Server allows unauthenticated remote code execution over the network.

Active Exploitation: Microsoft has confirmed that this vulnerability is being exploited in the wild.

Scope Impacted: Only on-premises SharePoint environments are vulnerable. SharePoint Online (Microsoft 365) is not affected.

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770

Exploitation Breakdown

Attackers craft malicious serialized data that is improperly deserialized by the server, leading to unauthenticated remote code execution. No prior access or user interaction is required.

Severity and CVSS

This vulnerability has a CVSS v3.1 score of 9.8. It is network-based, low complexity, requires no privileges or user interaction, and results in full confidentiality, integrity, and availability impact.

Mitigation Recommendations (Until Patch is Released)

According to Microsoft:

In case of a successful compromise

Threat Actors have been observed looking for machine keys:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Rotate ASP.NET Machine Keys: If sensitive machine keys were exposed, immediately rotate or regenerate the machine keys in SharePoint’s web.config files to invalidate any potentially compromised keys. (given after successful exploitation). Please find Microsoft’s guidance about key rotation.

Detection and Hunting Guidance

Defender AV Detections:

Defender for Endpoint Alerts to Monitor:

Advanced KQL Query for Hunting (we have already hunted using this):

DeviceFileEvents
| where FolderPath matches regex @"Web Server Extensions\\\d+\\TEMPLATE\\LAYOUTS"
| where (FileName =~ "spinstall0.aspx" or FileName has "spinstall0")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

Timeline and Outlook

Update: July 20, 2025: 

Microsoft Clarified affected SharePoint product in summary.

Fix availability guidance made available.

Additional protections guidance. Microsoft also added security updates for SharePoint products to supported versions.

Recommendations, including installing July 2025 Security Updates, as well as Rotating machine keys.

SharePoint 2019 security update, included links to CVEs and published security updates. (A patch for Sharepoint 2016 is still pending)

Microsoft documented:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771

July 20, 2025: Proof of concept exploit available:
https://github.com/soltanali0/CVE-2025-53770-Exploit/tree/main

July 19, 2025: Microsoft published the advisory and confirmed active exploitation.

No patch has been released yet, but one is currently being tested. An out-of-band update is expected soon.

Threat intelligence suggests groups such as Silk Typhoon or Storm-0506 may be involved.

---

Immediate Action Plan (if you have Sharepoint on-Premise)

Task	Details
1. Mitigation	Enable AMSI and Defender AV, or isolate affected servers
2. Detection	Ontinue will monitor Defender AV and Endpoint alerts, and run hunting queries
3. Network Defense	Segment internet-facing servers and restrict access
4. Investigation	Assess for signs of compromise and collect forensic evidence
5. Patch Readiness	Prepare for immediate deployment of the upcoming SharePoint patch

---

CVE-2025-53770 is a critical zero-day vulnerability currently being exploited in the wild. Organizations running on-prem SharePoint must implement mitigations immediately, monitor for signs of compromise, and prepare for a patch release.