Remediation Guide for a Compromised SharePoint Environment related to CVE-2025-53770 and CVE-2025-53771

Executive Summary

This document serves as a comprehensive guide for responding to the CVE-2025-53770 and CVE-2025-53771 affecting on-premises SharePoint servers. Any organisation with an internet-exposed SharePoint server during the exploitation window should treat it as at risk.

Based on incidents reported worldwide, threat actors continue to be able to exploit already-patched SharePoint servers, if additional mitigation measures had not been applied. Patching alone is not sufficient if the SharePoint server has already been compromised. Mitigation steps, which include rotating keys, restarting IIS service and removing artefacts (e.g. web shell), are critical to minimise the risk to your organisation.

This is a developing situation and this advisory will be updated when new information is available. As of now, the detailed response steps outlined in the following four incident response phases should be adopted by affected organisations.

Phase 1: Identification of Compromise: Detect signs of compromise in the SharePoint environment.

Phase 2: Containment of Compromise: Prevent further damage and compromise to your organisation’s environment.

Phase 3: Remediation of Compromise: Remove the attacker's presence and persistence mechanisms from the compromised systems.

Phase 4: Recovery from Compromise: Restore systems to normal operations and implementing measures to improve long-term resilience.

Please refer to the Indicators of Compromise here and refer to Threat Hunting queries here.

Structured Incident Response Plan for a Compromised SharePoint Environment

The following phased incident response (IR) framework offers a prescriptive, sequential playbook designed to address a compromised SharePoint environment. The exploitation method targeting SharePoint vulnerabilities has been dubbed ToolShell, referring to the specific attack chain used by threat actors to gain unauthorized access and persistence.

Phase 1: Identification of Compromise

The initial goal is to detect evidence of compromise and determine the scope of the breach without prematurely altering the system state, which could destroy valuable forensic evidence. This phase must be executed immediately.  

• Log Analysis: The first step is to collect and centralize relevant logs for analysis. This includes Internet Information Services (IIS) logs, SharePoint Unified Logging Service (ULS) logs, and Windows Event Logs (specifically Security, Application, System, PowerShell Script Block Logging, and Sysmon, if available). Analysts must search for key indicators of compromise (IOCs), such as:

  • HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit that contain the Referer header /_layouts/SignOut.aspx.  

  • Subsequent HTTP GET requests to web shells such as spinstall0.aspx or its variants.  

  • Anomalous requests originating from known malicious IP addresses.  

• File System Analysis: Conduct a thorough scan of the file systems of all SharePoint servers in the farm. The primary objective is to identify the presence of web shells.

  • Search for files named spinstall0.aspx, spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc., within the SharePoint TEMPLATE\LAYOUTS directories for versions 15 (2013) and 16 (2016/2019).  

  • Look for other suspicious files dropped by attackers, such as debug_dev.js, which has been observed being used to store the exfiltrated web. config data containing the MachineKey.

Forensic Imaging: For high-value systems or where a deep investigation is required, capturing a full disk image is crucial. This preserves a bit-for-bit copy of the storage media, allowing for offline analysis of deleted files, file system timelines, and other artifacts that are essential for a comprehensive forensic investigation.

Phase 2: Containment of Compromise

Once a system is identified as compromised or is reasonably suspected of being so, the immediate priority shifts to containment to prevent further damage.

• Block Malicious Indicators: Concurrently, implement blocks at the network perimeter (e.g., firewall, WAF, DNS sinkhole) for all known malicious IP addresses, domains, and file hashes associated with the campaign. This helps prevent reinfection and communication from other potentially compromised hosts.

• Credential Reset: If there is any evidence or suspicion of credential dumping (e.g., Mimikatz execution), initiate an immediate and targeted reset of all potentially compromised credentials. This should prioritize SharePoint service accounts, server local administrator accounts, and any domain administrative accounts that may have logged onto the compromised server.

• Network Isolation: If patching is not possible or your version of SharePoint server is EOS (before SharePoint server 2016), immediately disconnect the compromised SharePoint server(s) from all networks—both the public internet and the internal corporate network. This can be achieved by disabling the virtual network interface, applying a restrictive firewall rule, or physically unplugging the network cable. This action severs the attacker's command and control and prevents lateral movement.  

Phase 3: Remediation of Compromise

The goal of remediation is to completely remove the attacker’s presence and all persistence mechanisms from compromised systems. A full system rebuild is strongly recommended, as it ensures complete elimination of hidden backdoors, rootkits, and undetectable modifications that may survive standard cleanup. If a rebuild is not feasible, restoring from a known good, uncompromised backup is the next best option, provided the backup predates the intrusion and has been verified as clean. After completing either a rebuild or a backup restore, the following steps must be executed in a strict, non-negotiable sequence due to the high risk posed by machinekey theft.

• Apply Security Updates: Install the appropriate Microsoft security update (KB) for your SharePoint version. This closes the initial vulnerability vector (CVE-2025-53770 and CVE-2025-53771) and prevents re-exploitation through that channel.  

• Rotate ASP.NET MachineKey: This is the most critical step for eradicating the primary persistence mechanism. After patching, perform a rotation of the MachineKey on all servers in the SharePoint farm. This can be done via the Update-SPMachineKey PowerShell cmdlet or through the Central Administration UI. This action invalidates the cryptographic keys stolen by the attacker.

• Restart IIS: After the final key rotation, the Internet Information Services (IIS) must be restarted on all SharePoint servers in the farm. This is typically done by running iisreset.exe from an administrative command prompt. This step is mandatory to force the w3wp.exe processes to unload the old, compromised configuration and load the new, rotated MachineKey.  

• Remove Malicious Artifacts: Manually or through automated scripts, delete all identified malicious artifacts. This includes the spinstall0.aspx web shell and its variants, any other suspicious files dropped by the attacker, malicious scheduled tasks, and any unauthorized IIS modules that may have been installed for persistence.  

• [Advanced Step] Remediate Post-Exploitation Changes: If post-exploitation activity is confirmed, carefully review and revert any unauthorized changes made to the environment. This includes auditing and correcting any malicious GPO modifications, removing newly created user accounts, and restoring any system configurations that were altered.

Phase 4: Recovery from Compromise

The final phase involves safely returning the remediated systems to service and implementing measures to improve long-term resilience.

• Reconnect and Monitor: Once the system has been fully eradicated and validated, it can be cautiously reconnected to the network. The server must be placed under a state of heightened monitoring, with security teams closely watching logs and EDR alerts for any signs of anomalous activity.

• Integrity Validation: Before returning to full production, use a file integrity monitoring (FIM) or configuration monitoring solution to validate the state of critical system files, application binaries, and configuration files (web.config) against a known-good baseline or a "golden image". This helps ensure that no hidden backdoors or modifications remain.

• Harden the System: Implement the comprehensive set of hardening recommendations detailed in the following section to reduce the attack surface and prevent similar attacks in the future.

• Post-Incident Review: Conduct a thorough post-mortem and lessons-learned review. The goal is to understand the root cause of the incident, evaluate the effectiveness of the response, and identify gaps in security posture, policies, and procedures that need to be addressed.

Comprehensive Mitigation and Hardening Protocol

Moving beyond the immediate incident, organisations must adopt a strategic approach to harden their on-premises SharePoint environments. This protocol combines mandatory remediation steps with long-term security best practices.

System-Level Hardening

These measures provide a robust, defence-in-depth posture at the operating system and network level.

• Enable AMSI Integration: The Antimalware Scan Interface (AMSI) is a critical defence layer. Microsoft strongly recommends enabling AMSI integration for SharePoint and configuring it to "Full Mode". AMSI allows antivirus and EDR solutions to inspect the content of scripts (like PowerShell) executed in memory by applications like the IIS worker process. This provides a powerful, behaviour-based defence capable of detecting and blocking malicious payloads even if the initial exploit is unknown. If AMSI cannot be enabled, the server must be disconnected from the internet until it can be patched.  

• Deploy and Tune EDR: An Endpoint Detection and Response (EDR) solution, such as Microsoft Defender for Endpoint, is essential. It should be deployed on all SharePoint servers and, where possible, configured in "block mode". This allows the EDR agent to not only detect suspicious activity (like w3wp.exe spawning PowerShell) but to automatically terminate the malicious process, preventing the attack from proceeding.

• Implement a Web Application Firewall (WAF): A properly configured WAF provides a crucial layer of protection at the network edge. WAF rules can be deployed to inspect incoming SharePoint traffic for exploit patterns, such as anomalous Referer headers or malicious __VIEWSTATE payloads, and block these requests before they reach the server. Cloudflare and other vendors released emergency rules to mitigate this specific attack.  

SharePoint-Specific Hardening Best Practices

These practices focus on configuring SharePoint itself to minimise its attack surface.

• Enforce the Principle of Least Privilege (PoLP):

  • Conduct a rigorous and regular audit of all permissions within the SharePoint environment. Minimise administrative privileges wherever possible.

  • Strictly avoid using broad, unmanageable default groups like "Everyone," "DOMAIN\Domain Users," or "NT AUTHORITY\Authenticated Users" for granting permissions.  

  • Standardize on a group-based permission model. Assign permissions to SharePoint or Active Directory groups, not directly to individual user accounts. This simplifies provisioning, de-provisioning, and auditing.  

  • Limit the use of item-level permissions and broken permission inheritance, as these create a complex and difficult-to-audit permission structure that can easily hide security risks.  

• Network and Service Hardening:

  • Isolate the SharePoint farm servers in a dedicated network segment. Use host-based or network firewalls to restrict communication between farm servers to only the ports and protocols that are necessary for SharePoint to function.  

  • Specifically harden access to the SQL Server backend. Block the default SQL ports (TCP 1433, UDP 1434) from general network access. Configure firewall rules to allow SQL connections only from the IP addresses of the SharePoint servers in the farm.  

  • Harden the Web.config files for each web application. Ensure that debugging (debug="false") and tracing (AllowPageLevelTrace="false") are disabled in production environments. Ensure the CallStack is set to false and that the SafeControls list is configured with the minimum set of controls required.  

• Auditing and Monitoring:

  • Enable comprehensive logging for SharePoint (ULS), IIS, and Windows (especially PowerShell Script Block Logging and Sysmon). Ensure these logs are forwarded to a centralized SIEM for correlation, analysis, and long-term retention. This data is indispensable for both proactive threat hunting and post-incident forensic analysis.  

  • Implement a process for regular access reviews. This involves periodically auditing who has access to what resources, validating external sharing links, and confirming that permissions align with current business needs.  

References:

1. Microsoft SharePoint zero-day breach hits 75 servers: Here’s what the company said on the attack, accessed on July 24, 2025, https://timesofindia.indiatimes.com/technology/tech-news/microsoft-sharepoint-zero-day-breach-hits-75-servers-heres-what-the-company-said/articleshow/122805393.cms

2. ToolShell Threat Brief: SharePoint RCE Vulnerabilities (CVE-2025-53770 & 53771) Explained | Bitsight, accessed on July 24, 2025, https://www.bitsight.com/blog/toolshell-threat-brief-sharepoint-rce-vulnerabilities-cve-2025-53770-53771-explained

3. Critical SharePoint Zero-Days CVE-2025–53770 and CVE-2025–53771, Under Active Exploitation: Patches and Mitigations | by Tahir | Jul, 2025 | Medium, accessed on July 24, 2025, https://medium.com/@tahirbalarabe2/critical-sharepoint-zero-days-cve-2025-53770-and-cve-2025-53771-under-active-exploitation-fb9d04da6395

4. US Nuclear Agency hit in Microsoft SharePoint hack, company points finger at Chinese hackers, accessed on July 24, 2025, https://timesofindia.indiatimes.com/technology/tech-news/us-nuclear-agency-hit-in-microsoft-sharepoint-hack-company-points-finger-at-chinese-hackers/articleshow/122851479.cms

5. Microsoft Links Ongoing SharePoint Exploits to Three Chinese Hacker Groups, accessed on July 24, 2025, https://thehackernews.com/2025/07/microsoft-links-ongoing-sharepoint.html

6. Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog, accessed on July 24, 2025, https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

7. SharePoint 'ToolShell' Vulnerabilities Exploited by Chinese Hackers - Infosecurity Magazine, accessed on July 24, 2025, https://www.infosecurity-magazine.com/news/sharepoint-toolshell-chinese/

8. Microsoft sees China-backed nation-state hackers among adversaries targeting SharePoint, accessed on July 24, 2025, https://www.cybersecuritydive.com/news/microsoft--china-state-hackers-sharepoint/753701/

9. CVE-2025-53770 Detail - NVD, accessed on July 24, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-53770

10. Cloudflare protects against critical SharePoint vulnerability, CVE-2025-53770, accessed on July 24, 2025, https://blog.cloudflare.com/cloudflare-protects-against-critical-sharepoint-vulnerability-cve-2025-53770/

11. CVE-2025-53770 SharePoint Deserialization RCE PoC - GitHub, accessed on July 24, 2025, https://github.com/MuhammadWaseem29/CVE-2025-53770

12. CrowdStrike Detects and Blocks SharePoint Zero-Day Exploitation, accessed on July 24, 2025, https://www.crowdstrike.com/en-us/blog/crowdstrike-detects-blocks-sharepoint-zero-day-exploitation/

13. CVE-2025-53770 | Tenable®, accessed on July 24, 2025, https://www.tenable.com/cve/CVE-2025-53770

14. Microsoft SharePoint Server RCE Vulnerability CVE-2025-53770 : r/cybersecurity - Reddit, accessed on July 24, 2025, https://www.reddit.com/r/cybersecurity/comments/1m4i3oi/microsoft_sharepoint_server_rce_vulnerability/

15. Zero-day exploitation in the wild of Microsoft SharePoint servers via CVE-2025-53770, accessed on July 24, 2025, https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/

16. Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770), accessed on July 24, 2025, https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770

17. ToolShell Zero-day: Microsoft Rushes Emergency Patch for Actively Exploited SharePoint Vulnerabilities - Qualys Blog, accessed on July 24, 2025, https://blog.qualys.com/vulnerabilities-threat-research/2025/07/21/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities

18. CVE-2025-53771 Detail - NVD, accessed on July 24, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-53771

19. Critical Vulnerabilities in Microsoft Sharepoint | Cyber Security Agency of Singapore, accessed on July 24, 2025, https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-075

20. CVE-2025-53771 - CVE Record, accessed on July 24, 2025, https://www.cve.org/CVERecord?id=CVE-2025-53771

21. CVE-2025-53771 Impact, Exploitability, and Mitigation Steps | Wiz, accessed on July 24, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2025-53771

22. SharePoint Vulnerabilities (CVE-2025-53770 & CVE-2025-53771 ..., accessed on July 24, 2025, https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k

23. UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities | CISA, accessed on July 24, 2025, https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities

24. Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771), accessed on July 24, 2025, https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

25. Simulating CVE-2025-53770 in SharePoint for Real-World Detection ..., accessed on July 24, 2025, https://www.securonix.com/blog/simulating-cve-2025-53770-in-sharepoint-for-real-world-detection-engineering/

26. Chinese Hackers Exploit SharePoint Flaws in Global Attacks - Petri IT Knowledgebase, accessed on July 24, 2025, https://petri.com/chinese-hackers-exploit-sharepoint-flaws/

27. Microsoft SharePoint 'ToolShell' Zero-Day (CVE-2025-53770): How CimTrak Could Have Stopped It - Cimcor, accessed on July 24, 2025, https://www.cimcor.com/blog/microsoft-sharepoint-toolshell-zeroday-cve202553770

28. Understand the SharePoint RCE: Exploitations, Detections, and Mitigations | Akamai, accessed on July 24, 2025, https://www.akamai.com/blog/security-research/sharepoint-vulnerability-rce-active-exploitation-detections-mitigations

29. SharePoint Under Attack: Microsoft Warns of Zero-Day Exploited in the Wild – No Patch Available - SecurityWeek, accessed on July 24, 2025, https://www.securityweek.com/sharepoint-under-attack-microsoft-warns-of-zero-day-exploited-in-the-wild-no-patch-available/

30. Microsoft Says Chinese APTs Exploited ToolShell Zero-Days Weeks Before Patch, accessed on July 24, 2025, https://www.securityweek.com/microsoft-says-chinese-apts-exploited-toolshell-zero-days-weeks-before-patch/

31. Chinese hackers are exploiting SharePoint vulnerabilities, Microsoft says - Nextgov/FCW, accessed on July 24, 2025, https://www.nextgov.com/cybersecurity/2025/07/chinese-hackers-are-exploiting-sharepoint-vulnerabilities-microsoft-says/406908/

32. Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 22), accessed on July 24, 2025, https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/

33. Joint Statement on SharePoint vulnerabilities - Assessment and advice on recovery and mitigating actions | ENISA, accessed on July 24, 2025, https://www.enisa.europa.eu/news/joint-statement-on-sharepoint-vulnerabilities-assessment-and-advice-on-recovery-and-mitigating-actions

34. Update on the SharePoint ToolShell vulnerability exploitation (CVE-2025-53770) | Expel, accessed on July 24, 2025, https://expel.com/blog/update-on-the-sharepoint-toolshell-vulnerability-exploitation-cve-2025-53770/

35. Best Practice Tips for Better SharePoint Site Security - Netwrix Blog, accessed on July 24, 2025, https://blog.netwrix.com/2023/03/24/sharepoint-security/

36. Hardening SharePoint/OneDrive : r/msp - Reddit, accessed on July 24, 2025, https://www.reddit.com/r/msp/comments/gqlonj/hardening_sharepointonedrive/

37. A field guide to SharePoint security: Best practices to protect your sensitive data - ShareGate, accessed on July 24, 2025, https://sharegate.com/blog/sharepoint-security-best-practices-field-guide

38. Plan security hardening for SharePoint Server - Learn Microsoft, accessed on July 24, 2025, https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/security-hardening

39. SharePoint Security Best Practices: Hardening Your Collaboration Platform Against Enumeration Attacks | by John D Cyber, accessed on July 24, 2025, https://johndcyber.com/sharepoint-security-best-practices-hardening-your-collaboration-platform-against-enumeration-332030f5daa3