Trending

The Shadow Over SharePoint – CVE-2025-53770

admin09 mins

Introduction: The Silent Siege

In July 2025, a storm engulfed on-premises Microsoft SharePoint environments worldwide. CVE-2025-53770—a critical unauthenticated remote code execution (RCE) vulnerability—has been actively exploited by advanced threat actors, compromising government agencies, energy firms, and universities. This flaw isn’t just another entry in the CVE catalog; it’s a potent weapon enabling total server takeover. Here’s what you need to know.

1. Vulnerability Overview: Anatomy of CVE-2025-53770

CVE-2025-53770 is a deserialization flaw in on-premises SharePoint Server (2016, 2019, Subscription Edition). Attackers chain it with CVE-2025-49706 (spoofing) and CVE-2025-49704 (RCE) to form “ToolShell”—a bypass granting unauthenticated access to execute arbitrary code. Unlike SharePoint Online, on-prem deployments are exclusively vulnerable

Key Technical Mechanics:

  • Attack Vector: A forged Referer: /_layouts/SignOut.aspx header in a POST request to /_layouts/15/ToolPane.aspx bypasses authentication

  • Exploitation Chain:
    1. Authentication Bypass: SharePoint skips form digest validation.

    2. Web Shell Upload: Malicious file (e.g., spinstall0.aspx) is written to the LAYOUTS directory.

    3. Key Theft: The script extracts ValidationKey and DecryptionKey from web.config.

    4. RCE via ViewState: Attackers craft signed __VIEWSTATE payloads using tools like ysoserial to execute commands.

2. Attacker Intent: Beyond Initial Access

Threat actors—including Chinese state groups Linen TyphoonViolet Typhoon, and Storm-2603—aim for persistent control and data exfiltration. Their objectives:

  • Cryptographic Key Theft: MachineKeys enable future token forgery even after patching.

  • Lateral Movement: Compromised SharePoint servers act as gateways to Outlook, Teams, and OneDrive.

  • Espionage & Data Theft: Targeting defense, energy, and government sectors for intellectual property.

3. Known Indicators of Compromise (IOCs)

Indicator TypeValueDescription
File Paths\15\TEMPLATE\LAYOUTS\spinstall0.aspxPrimary web shell; variants include spinstall1.aspxspinstall2.aspx
File Paths\16\TEMPLATE\LAYOUTS\debug_dev.jsContains stolen MachineKey data
SHA-256 Hashes92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514Hash of spinstall0.aspx
SHA-256 Hashes4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030Hash of qlj22mpc.dll
SHA-256 Hashesb39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70<Yet Unknown>
SHA-256 Hashesfa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7
<Yet Unknown>
SHA-256 Hashes27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014Hash of spinstall0.aspx
SHA-256 Hashes8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2Hash of App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll
SHA-256 Hashesb336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93Hash of test.txt
SHA-256 Hashesf917e0fd57784e40d9a41069f30b2b5cf83db29b52072c308ff030eaf1fcd764<Yet Unknown>
Malicious IPs104.238.159[.]149188.130.206[.]168131.226.2[.]6Observed in post-exploitation C2 traffic
URLsc34718cbb4c6.ngrok-free[.]app/file.ps1Ngrok tunnel delivering PowerShell payloads
Log Anomalies

POST to /_layouts/15/ToolPane.aspx?DisplayMode=EditSign of exploitation attempts.

Detection Queries:

  • Microsoft 365 Defender:
DeviceFileEvents  
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS", "15\\TEMPLATE\\LAYOUTS")  
| where FileName has "spinstall0"

  • Trend Vision One:
eventSubId: 901 AND objectRawDataStr: "TEMPLATE\LAYOUTS\spinstall0.aspx"

4. Microsoft’s Mitigation Strategies

Immediate Actions:

  1. Apply Security Updates:

    • SharePoint Subscription EditionKB5002768

    • SharePoint 2019: KB5002753

    • SharePoint 2016: KB5002759
      (Updates are cumulative; install the latest only)

  2. Enable AMSI + Defender AV:

    • Configure Antimalware Scan Interface (AMSI) in Full Mode to block malicious .NET code

    • Ensure Defender Antivirus is deployed on all SharePoint servers

  3. Rotate Machine Keys:

    • Use PowerShell command below followed by ‘iisreset.exe’

Set-SPMachineKey -WebApplication <WebApplicationPipeBind>  
Update-SPMachineKey -WebApplication <WebApplicationPipeBind>



4. Isolate Vulnerable Servers:

  • Disconnect public-facing SharePoint instances if patching is delayed

Advanced Protections:

  • Microsoft Defender for Endpoint: Detects post-exploit activities like “Possible web shell installation” or “Suspicious IIS worker process behavior”

  • Vulnerability Management: Use Microsoft Defender Vulnerability Management to track exposure via CVEs (e.g., CVE-2025-53770)

5. Broader Implications & Proactive Defense

  • CISA KEV Listing: Added on July 20, 2025, mandating federal agencies to mitigate immediately

  • Patching Isn’t Enough: Key rotation is non-negotiable—stolen MachineKeys allow persistent access 

  • Sector Impact: 50+ breaches observed in energy, education, and European governments

Table 2: MITRE ATT&CK Techniques Observed

TacticTechniqueExample
Initial AccessExploit Public-Facing Application (T1190)

ToolPane.aspx endpoint exploitation.

ExecutionPowerShell (T1059.001)

Encoded commands via w3wp.exe.
PersistenceWeb Shell (T1505.003)spinstall0.aspx deployment.
Credential Access

OS Credential Dumping (T1003)MachineKey extraction.
Defense Evasion

Reflective Loading (T1620).NET assembly loading via IIS.


Conclusion: The Road to Resilience

CVE-2025-53770 epitomizes the evolving threat landscape—where patched vulnerabilities morph into deadlier variants. For SharePoint administrators, the mandate is clear:

  1. Patch relentlessly.

  2. Rotate keys aggressively.

  3. Hunt continuously for IOCs.

As Microsoft notes, AMSI + Defender AV is a critical shield even before updates. In cybersecurity, complacency is the adversary. Fortify your SharePoint gates—before the next siege begins.

Resources:

Leave a Reply

Related Posts