CVE-2025-53770: Critical SharePoint RCE – Detection, IOCs & Patching Guide

Jul 26, 2025·By KingSec

Understanding CVE-2025-53770

The recently discovered CVE-2025-53770, also known as part of the ToolShell exploit chain, has emerged as a critical Remote Code Execution (RCE) vulnerability affecting on-premises Microsoft SharePoint servers (2016, 2019, and Subscription Edition). With a CVSS score of 9.8, this flaw is actively being exploited by advanced threat actors, including state-sponsored groups, to gain unauthenticated access, steal cryptographic keys, and establish persistent control over victim servers. cybersecurity threat

What is CVE-2025-53770?

The vulnerability stems from improper handling of deserialized input in SharePoint’s ToolPane.aspx endpoint. Attackers can bypass authentication (via CVE-2025-53771) and deliver specially crafted payloads that trigger RCE, allowing them to:

Deploy malicious .aspx web shells (e.g., spinstall0.aspx).
Extract machine keys (ValidationKey, DecryptionKey) used to forge __VIEWSTATE data.
Gain long-term, stealthy persistence even after patching if keys are not rotated. This vulnerability does not affect SharePoint Online (Microsoft 365) but poses a severe risk to on-premises deployments exposed to the internet.

Detection and Indicators of Compromise (IOCs)

To effectively detect and respond to this threat, organizations should closely monitor SharePoint logs, file systems, and network traffic. Key detection points include:

1. Suspicious Web Requests
POST requests to:

/_layouts/15/ToolPane.aspx?DisplayMode=Edit

Especially those containing:

Referer: /_layouts/SignOut.aspx header (used to bypass auth).
Unusual __VIEWSTATE values or large, obfuscated payloads.

2. Unexpected Web Shell Files

Look for unauthorized .aspx files, particularly in:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\

Examples:

spinstall0.aspx
Randomly named .aspx scripts.

3. Event Logs and Telemetry

Look for unauthorized .aspx files, particularly in:

Windows Event Logs: Unexpected w3wp.exe (IIS worker) child processes.
MDE or EDR Alerts: Unusual PowerShell or command executions spawned from IIS processes.

4. Hashes and Filenames

Known file hashes for malicious shells are being updated by threat intel feeds. Organizations should ingest these feeds into their SIEM for real-time detection.

For detailed list of known IOC , file Hashes and signature reffer to: Microsoft CVE-2025-53770 Threat Intelligence

Mitigation and Patching

Microsoft strongly recommends immediate patching and post-patch remediation steps:

Apply July 2025 Security Updates
- Install the latest patches for:
  - SharePoint Server 2016
  - SharePoint Server 2019
  - SharePoint Subscription Edition
  - (Microsoft Security Advisory for CVE-2025-53770 provides direct patch links.)
Rotate Machine Keys

Run Update-SPMachineKey in PowerShell or use Central Admin to rotate keys, invalidating any previously stolen keys.

3.Network Protection

Block public access to /ToolPane.aspx if possible (via WAF rules).
Restrict SharePoint admin endpoints behind VPN or internal networks.

How KingSec Helps.

At KingSec, we provide 24/7 threat detection, managed patching, and incident response services to ensure your business remains secure against zero-day exploits like CVE-2025-53770.

IOC-based Threat Hunting: We proactively monitor and hunt for malicious patterns on your servers.
Emergency Patching: We deploy critical Microsoft updates with minimal downtime.
Forensic Analysis: Our experts perform deep scans for web shells, compromised keys, and abnormal SharePoint activity.
Long-term Protection: With our Managed Security Services, we continuously defend against evolving threats.

Take Action Now
If your organization is running on-premises SharePoint, assume breach until proven otherwise. Patch immediately, rotate keys, and audit your environment.

Need help securing your SharePoint environment?

Need help securing your SharePoint environment?