Advantages of Cloud:
Automatic patching
Integrated threat detection
Reduced attack surface
Challenges with On-Prem:
Manual patch management
Limited visibility
Higher exposure to zero-days
In July 2025, Microsoft disclosed two critical vulnerabilities in its SharePoint Server platform: CVE-2025-53770, a remote code execution (RCE) flaw, and CVE-2025-53771, a spoofing vulnerability. These zero-day exploits have already been weaponized in the wild, compromising over 85 on-premises SharePoint servers globally. The vulnerabilities are particularly alarming because they bypass previously issued patches and target legacy deployments of SharePoint 2016, 2019, and Subscription Edition.
This article provides a detailed analysis of both CVEs, their technical underpinnings, exploitation methods, mitigation strategies, and the broader implications for enterprise cybersecurity.
Type: Remote Code Execution (RCE)
CVSS Score: 9.8 (Critical)
Affected Products: Microsoft SharePoint Server 2016, 2019, Subscription Edition
Attack Vector: Network
Authentication Required: No
Impact: Full system compromise
Technical Summary: CVE-2025-53770 arises from the deserialization of untrusted data in SharePoint Server. Attackers exploit this flaw by sending crafted ASPX payloads via PowerShell, targeting the server’s MachineKey configuration. Once exploited, attackers can execute arbitrary code remotely without authentication.
This vulnerability is a variant of CVE-2025-49706, previously patched in July 2025. However, attackers quickly developed new methods to bypass those fixes, leading to widespread exploitation.
Type: Spoofing via Path Traversal
CVSS Score: 6.3 (Medium)
Affected Products: Microsoft SharePoint Server 2016, 2019, Subscription Edition
Attack Vector: Network
Authentication Required: Yes
Impact: Information spoofing, unauthorized access
Technical Summary: CVE-2025-53771 allows an authenticated attacker to exploit a path traversal flaw in SharePoint Server. By manipulating directory paths, attackers can spoof legitimate content or access restricted files and directories. This vulnerability is closely related to CVE-2025-49704 and CVE-2025-49706, which were previously chained in the “ToolShell” exploit.
May 2025: Viettel Cyber Security demonstrates chained RCE exploit (ToolShell) at Pwn2Own Berlin.
July 8, 2025: Microsoft releases patches for CVE-2025-49704 and CVE-2025-49706.
July 18–19, 2025: Active exploitation of CVE-2025-53770 and CVE-2025-53771 begins.
July 20, 2025: Microsoft and CISA issue emergency alerts.
July 21, 2025: Over 85 servers confirmed compromised
Initial Access: Attackers probe exposed SharePoint endpoints.
Payload Delivery: Malicious ASPX files (e.g., spinstall0.aspx) are uploaded.
Key Extraction: MachineKey configuration is stolen.
Code Execution: Valid ViewState tokens are generated using ysoserial, enabling RCE.
Persistence: Web shells and backdoors are deployed.
Presence of spinstall0.aspx in SharePoint layouts directory
POST requests to /ToolPane.aspx?DisplayMode=Edit
Suspicious IIS worker process behavior
IP addresses: 107.191.58.76, 104.238.159.149, 96.9.125.147
Microsoft has issued emergency patches for SharePoint Subscription Edition and SharePoint 2019. Patches for SharePoint 2016 are still pending.
Immediate Actions:
Apply Security Updates: KB5002768 (Subscription Edition), KB5002754 (2019)
Enable AMSI Integration: Antimalware Scan Interface blocks unauthenticated attacks
Deploy Defender AV & Endpoint: Detects post-exploit activity
Rotate Machine Keys: Prevent reuse of stolen cryptographic material
Disconnect Unpatched Servers: From internet until patched
How to Rotate Machine Keys
Via PowerShell:
Update-SPMachineKey
Via Central Admin:
Navigate to Central Administration → Monitoring → Job Definitions
Run “Machine Key Rotation Job”
Restart IIS using iisreset.exe
Government agencies
Financial institutions
Universities
Healthcare providers
Large enterprises
Unauthorized access to sensitive data
Lateral movement across networks
Bypassing MFA and SSO controls
Persistent backdoors and data exfiltration
Organizations are urged to:
Audit SharePoint logs
Monitor for anomalous admin activity
Use Microsoft 365 Defender queries to detect exploitation
Conduct full compromise assessments
Given that CVE-2025-53770 is a variant of CVE-2025-49706, attackers may continue to develop new exploit chains. Organizations must stay vigilant and adopt defense-in-depth strategies.
Regular patching and updates
Least privilege access controls
Network segmentation
SIEM and SOAR integration
Threat intelligence feeds
The emergence of CVE-2025-53770 and CVE-2025-53771 underscores the persistent threat posed by zero-day vulnerabilities in enterprise software. While Microsoft has responded swiftly with patches and guidance, the widespread exploitation of these flaws reveals critical gaps in on-premise security posture.
Organizations must act decisively—patch systems, rotate keys, and audit environments—to prevent further compromise. More broadly, this incident serves as a wake-up call to accelerate cloud migration and modernize cybersecurity defenses.