Blog

Summary

Microsoft has confirmed active exploitation of a critical on-premises SharePoint vulnerability, CVE‑2025‑53770—a variant of the previously identified CVE‑2025‑49706. This vulnerability allows unauthenticated remote code execution (RCE) on SharePoint servers. While SharePoint Online (Microsoft 365) is not affected, organizations using SharePoint Server 2016, 2019, and Subscription Edition are at immediate risk.

At the time of this post, no official patch is available. Microsoft has issued interim mitigation guidance.

What You Need to Know

• The vulnerability has been assigned a CVSS score of 9.8 (Critical).

• Exploits are being observed in the wild.

• Victims include public sector, education, and private industry servers globally.

• The exploit method, named “ToolShell” by researchers, involves a chain of vulnerabilities that allow attackers to gain full control of servers without authentication.

Attackers exploit public-facing SharePoint servers using crafted requests that trigger deserialization flaws, ultimately installing web shells such as spinstall0.aspx to maintain persistent access.

Microsoft’s Guidance

Microsoft recommends the following mitigations for on-prem SharePoint environments:

1. Enable AMSI (Antimalware Scan Interface) in SharePoint servers. If this is not possible, servers should be disconnected from the Internet.

2. Ensure Microsoft Defender Antivirus is running on all SharePoint servers.

3. Use Microsoft Defender for Endpoint to monitor for post-compromise behaviors.

4. Hunt for compromise indicators, including:

   • Files such as spinstall0.aspx in SharePoint’s Layouts directory.

   • Suspicious POST requests targeting /_layouts/15/ToolPane.aspx.

   • Unusual web requests using /_layouts/SignOut.aspx as the referer header.

Microsoft has also provided Kusto queries for detection, which can be integrated into Sentinel or Defender for Endpoint.

Indicators of Compromise

• Presence of web shell files (spinstall0.aspx).

• File writes or process activity linked to SharePoint’s Layouts directories.

• Unexpected HTTP POSTs to ToolPane.aspx pages.

• HTTP requests with /_layouts/SignOut.aspx as the referer.

If any of these indicators are found, organizations should assume compromise, isolate affected servers, and initiate incident response procedures immediately.

Recommendations for Critical Path Security Clients

1. Mitigate Immediately

   • Apply AMSI and Defender protections as outlined by Microsoft.

   • Restrict external access to vulnerable servers whenever possible.

2. Conduct Compromise Assessments

   • Search for web shells and unauthorized .aspx files.

   • Review IIS logs for unusual POST requests or referer strings.

3. Monitor Continuously

   • Deploy Defender for Endpoint for detection.

   • Hunt for known IOCs using SIEM or EDR platforms.

4. Plan for Patching

   • Microsoft is working on a full patch. Prepare for rapid deployment once released.

5. Consider Cloud Migration

   • Organizations using on-premises SharePoint should evaluate migrating to SharePoint Online, which is not affected by this vulnerability.

Critical Path Security Support

For clients with on-premises SharePoint servers, Critical Path Security recommends immediate action. We are available to assist with:

• Incident response and containment.

• Threat hunting and compromise assessments.

• Deployment of defensive mitigations and monitoring.

• Strategic planning for patch management and long-term remediation.

Final Thoughts

CVE‑2025‑53770 represents a critical risk to any Internet-exposed SharePoint Server instance. Until a patch is released, organizations must rely on a combination of Microsoft’s interim mitigations and proactive monitoring to reduce their attack surface and detect potential compromise.

If your organization hosts on-premises SharePoint servers, contact Critical Path Security immediately for assistance.

References:
Microsoft Security Response Center
Canadian Centre for Cyber Security