Alerts

Critical Vulnerabilities in Microsoft Sharepoint

22 July 2025

Microsoft has released security updates addressing zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771). Administrators are advised to update to the latest versions immediately.

Update

Microsoft has confirmed that these vulnerabilities are being actively exploited on unpatched, on-premises SharePoint servers to gain persistent access, steal credentials, and in some cases, deploy ransomware. Please refer here for the latest information from Microsoft.

Background

Microsoft has released security updates addressing zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) impacting on-premise Sharepoint Servers. SharePoint Online in Microsoft 365 is not affected by the vulnerabilities.

Impact

CVE-2025-53770: Deserialisation of untrusted data in on-premise Microsoft SharePoint Servers could allow a remote attacker to perform remote code execution. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-53771: Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint could allow a remote attacker to spoof a legitimate SharePoint workflow using a forged Referer header and bypass authentication.

When the aforementioned vulnerabilities are successfully exploited in sequence, they could allow an attacker to execute remote code in Microsoft SharePoint.

Known Exploitation

Microsoft is aware of active exploitation of these vulnerabilities.

Affected Products

These vulnerabilities affect on-premises installations of:

Microsoft SharePoint Server Subscription Edition

Microsoft SharePoint Server 2019

Microsoft SharePoint Server 2016

SharePoint 2010 and 2013 may also be affected by these vulnerabilities.

Exploit Chain Breakdown

The attack has been observed to unfold in five key stages:

Initial Access:
- Attackers send a specially crafted HTTP request to the endpoint /layouts/15/ToolPane.aspx, with a forged Referer header set to /_layouts/SignOut.aspx. This allows them to bypass authentication controls.
- Command execution is conducted using the w3wp.exe process that supports SharePoint for enumeration and environment discovery.

Execution:
- The attackers send a crafted POST request to upload a malicious ASPX file named spinstall0.aspx to the SharePoint server. This file is designed to extract cryptographic secrets from the environment.
- Lateral movement using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI).

Persistence:
- The attackers create scheduled tasks and manipulates Internet Information Services (IIS) components to load suspicious .NET assemblies. These actions ensure continued access even if initial vectors are remediated.
- services.exe is abused to disable Microsoft Defender protections through direct registry modifications.

Credential Access:
- The spinstall0.aspx script retrieves the server’s MachineKey configuration, including the ValidationKey. This key is critical for crafting valid __VIEWSTATE payloads used in ASP.NET.
- The threat actor uses Mimikatz, specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials

Command and Control:
- With the stolen cryptographic keys, the attackers use tools such as ysoserial to generate valid serialised __VIEWSTATE objects. These payloads are then deserialized by SharePoint, enabling unauthenticated remote code execution. The file spinstall0.aspx has been observed in the following path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0[.]aspx.
- Modifies Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.

Mitigation

Administrators are strongly advised to upgrade their on-premise Sharepoint Server with the latest emergency update provided by Microsoft. Use or upgrade to supported versions of on-premises Microsoft SharePoint Server: SharePoint Server 2016, 2019, and SharePoint Subscription Edition.

In addition to applying the security updates, the following steps are recommended to detect/prevent persistence and block post-exploitation activity:

Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly.
- Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.
- If you cannot enable AMSI, we recommend you consider disconnecting your server from the Internet until you have applied the most current security update linked above. If the server cannot be disconnected from the internet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit unauthenticated traffic
Deploy Microsoft Defender for Endpoint, Microsoft Defender Antivirus or equivalent anti-virus solutions to scan for malware (e.g., web shells) on all Sharepoint servers.
Rotate SharePoint Server ASP.NET machine keys and restart Internet Information ServiceS (IIS) on all SharePoint servers.
- Follow the PowerShell guidance here.
- If you cannot enable AMSI, you will need to rotate your keys and restart IIS after you install the new security update.
Use Hunting Queries, Microsoft Defender Vulnerability Management or Microsoft Sentinel to inspect events in your network and locate potential related indicators. Follow the guidance here.
For guidance on measures to protect against post-exploitation activity, please refer here.

Known Indicators Of Compromise (IOC)

Indicators

Indicator	Type	Description
Spinstall0.aspx	File name	Web shell used by threat actors Actors have also modified the file name in a variety of ways – such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx
IIS_Server_dll.dll	File name	Storm-2603 IIS Backdoor
SharpHostInfo.x64.exe	File Name	Pentest tool observed during attack that is used to collect host information using NetBIOS, SMB, and WMI
xd.exe	File Name	Fast reverse proxy tool used to connect to C2 IP 65.38.121[.]198
debug_dev.js	File name	File containing web config data, including MachineKey data
\1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js	File path	File path for stolen web configs
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514	SHA-256	Hash of spinstall0.aspx
24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf	SHA-256	Web shell that leverages http & curl to receive and execute commands from Storm-2603 C2 “update[.]updatemicfosoft[.]com”
b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0	SHA-256	Web shell that leverages sockets & DNS to receive and execute commands from Storm-2603 C2 “update[.]updatemicfosoft[.]com”
c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94	SHA-256	Web shell that leverages sockets & DNS to receive and execute commands from Storm-2603 C2 “update[.]updatemicfosoft[.]com”
1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192	SHA-256	Web shell that leverages sockets & DNS to receive and execute commands from Storm-2603 C2 “update[.]updatemicfosoft[.]com”
4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619	SHA-256	Observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d	SHA-256	Hash for SharpHostInfo.x64.exe
62881359e75c9e8899c4bc9f452ef9743e68ce467f8b3e4398bebacde9550dea	SHA-256	Hash for xd.exe
4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030	SHA-256	.NET module - initial hash observed
b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70	SHA-256	.NET module
fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7	SHA-256	.NET module - targeting ViewState
390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e	SHA-256	.NET module
66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082	SHA-256	.NET module
7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95	SHA-256	.NET module
c34718cbb4c6.ngrok-free[.]app/file.ps1	URL	Ngrok tunnel delivering PowerShell to C2
msupdate[.]updatemicfosoft[.]com	URL	C2 domain for Storm-2603
131.226.2[.]6	IP	Post exploitation C2
134.199.202[.]205	IP	IP address exploiting SharePoint vulnerabilities
104.238.159[.]149	IP	IP address exploiting SharePoint vulnerabilities
188.130.206[.]168	IP	IP address exploiting SharePoint vulnerabilities
65.38.121[.]198	IP	Post-exploitation C2 for Storm-2603
107.191.58[.]76	IP	Exploitation Source
96.9.125[.]147	IP	Exploitation Source
139.144.199[.]41	IP	Exploitation Source
89.46.223[.]88	IP	Exploitation Source
45.77.155[.]170	IP	Exploitation Source
95.179.158[.]42	IP	Exploitation Source
154.223.19[.]106	IP	Exploitation Source
185.197.248[.]131	IP	Exploitation Source
149.40.50[.]15	IP	Exploitation Source

Reporting Compromise

If you assess that your Sharepoint server has been compromised, please report the incident to SingCERT at https://www.csa.gov.sg/resources/singcert/cyber-aid.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

https://nvd.nist.gov/vuln/detail/CVE-2025-53770

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771

https://nvd.nist.gov/vuln/detail/CVE-2025-53771

https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/

https://blog.qualys.com/vulnerabilities-threat-research/2025/07/21/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities

https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770

https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/

https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/

https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Vulnerabilities in Microsoft Sharepoint

Reach us