Follow on X RSS Feed
Vulnerabilities

CVE-2025-53770 and CVE-2025-53771 Abused in Active Attacks on On-Prem SharePoint

Cybersec Sentinel

5 min read
CVE-2025-53770 and CVE-2025-53771 Abused in Active Attacks on On-Prem SharePoint

Threat Group: Linen Typhoon, Violet Typhoon, Storm-2603
Threat Type: Remote Code Execution & Spoofing
Exploited Vulnerabilities: CVE-2025-53770 (RCE), CVE-2025-53771 (Spoofing)
Malware Used: ToolShell (spinstall0.aspx)
Threat Score: 🔴 High (8.0/10) – Active exploitation by nation-state actors, persistent access via cryptographic theft, and potential lateral movement across enterprise networks.
Last Threat Observation: 23 July 2025 – Confirmed exploitation in the wild

Overview

On-premises Microsoft SharePoint Servers are under immediate threat from a coordinated campaign exploiting two zero-day vulnerabilities – CVE-2025-53770 (RCE) and CVE-2025-53771 (Spoofing). This campaign, known as “ToolShell,” enables unauthenticated attackers to gain persistent remote access to SharePoint environments via web shell deployment and cryptographic key theft.

Since 17 July 2025, nation-state actors linked to China, including Linen Typhoon, Violet Typhoon, and Storm-2603, have targeted government, finance, education, and enterprise sectors. Exploitation enables attackers to steal ASP.NET MachineKeys, allowing them to forge trusted requests and maintain access post-patch.

SharePoint Online (Microsoft 365) is not affected.

Key Details

Delivery Method: Unauthenticated HTTP POST to ToolPane.aspx with crafted Referer header

Target: Microsoft SharePoint Server 2016, 2019, and Subscription Edition (On-Premise)

Functions:

  • Uploads spinstall0.aspx web shell
  • Extracts ASP.NET MachineKeys (ValidationKey, DecryptionKey)
  • Enables ViewState forgery with ysoserial
  • Executes arbitrary PowerShell code
  • Establishes long-term persistence

Obfuscation: Utilises quiet .aspx shell, header spoofing, encoded PowerShell, minimal beaconing

Attack Vectors

  1. Authentication Bypass via Spoofed Referer Header (CVE-2025-53771): Attackers exploit a flaw in SharePoint’s digest validation logic. By submitting an unauthenticated POST request to /ToolPane.aspx with a Referer header pointing to /layouts/SignOut.aspx, SharePoint treats the session as authenticated. This critical bypass enables remote attackers to send administrative-level payloads without prior authentication.
  2. Stealth Web Shell Deployment: Leveraging the bypass, attackers upload a malicious web shell (typically named spinstall0.aspx) directly into the SharePoint LAYOUTS directory. This ASP.NET shell is intentionally quiet, designed solely to extract sensitive configuration values from the server without alerting standard AV heuristics or triggering outbound communication.
  3. .NET Reflection for Key Theft: Once in place, the shell executes .NET reflection commands targeting the System.Web.Configuration namespace. This enables direct extraction of the machineKey values (ValidationKey and DecryptionKey) from SharePoint’s web.config. These keys are foundational to the security of authentication cookies and ViewState integrity.
  4. Signed ViewState RCE (CVE-2025-53770): With stolen keys, attackers craft malicious payloads using ysoserial.net and sign them to appear legitimate. These payloads are embedded in ViewState parameters and submitted to endpoints like /success.aspx, enabling remote code execution under the SharePoint application pool identity. This grants system-level privileges within the IIS context.
  5. Lateral Movement & Escalation: Post-compromise, threat actors use tools like PowerShell, PsExec, and Windows Management Instrumentation (WMI) to move laterally. Credential dumping and access to Active Directory allow for widespread domain infiltration.
  6. Persistence Techniques: Even after patching, persistence remains if machine keys are not rotated. Attackers can reuse keys to forge authentication cookies and ViewState signatures. Some variants also drop scheduled tasks and secondary web shells.
  7. Obfuscation & Evasion: The tooling avoids typical malware behavior. Web shells are minimal and reside in trusted directories. PowerShell commands are encoded. Traffic is indistinguishable from regular SharePoint activity. Detection relies heavily on behavioural EDR and detailed IIS log analysis.

Known Indicators of Compromise (IoCs)

Threat Group: Linen Typhoon, Violet Typhoon, Storm-2603
Threat Type: Remote Code Execution & Spoofing
Exploited Vulnerabilities: CVE-2025-53770 (RCE), CVE-2025-53771 (Spoofing)
Malware Used: ToolShell (spinstall0.aspx)
Threat Score: 🔴 High (8.0/10) – Active exploitation by nation-state actors, persistent access via cryptographic theft, and potential lateral movement across enterprise networks.
Last Threat Observation: 22 July 2025 – Confirmed exploitation in the wild

Overview

On-premises Microsoft SharePoint Servers are under immediate threat from a coordinated campaign exploiting two zero-day vulnerabilities – CVE-2025-53770 (RCE) and CVE-2025-53771 (Spoofing). This campaign, known as “ToolShell,” enables unauthenticated attackers to gain persistent remote access to SharePoint environments via web shell deployment and cryptographic key theft.

Since 17 July 2025, nation-state actors linked to China, including Linen Typhoon, Violet Typhoon, and Storm-2603, have targeted government, finance, education, and enterprise sectors. Exploitation enables attackers to steal ASP.NET MachineKeys, allowing them to forge trusted requests and maintain access post-patch.

SharePoint Online (Microsoft 365) is not affected.

Key Details

Delivery Method: Unauthenticated HTTP POST to ToolPane.aspx with crafted Referer header

Target: Microsoft SharePoint Server 2016, 2019, and Subscription Edition (On-Premise)

Functions:

  • Uploads spinstall0.aspx web shell
  • Extracts ASP.NET MachineKeys (ValidationKey, DecryptionKey)
  • Enables ViewState forgery with ysoserial
  • Executes arbitrary PowerShell code
  • Establishes long-term persistence

Obfuscation: Utilises quiet .aspx shell, header spoofing, encoded PowerShell, minimal beaconing

Attack Vectors

  1. Authentication Bypass via Spoofed Referer Header (CVE-2025-53771): Attackers exploit a flaw in SharePoint’s digest validation logic. By submitting an unauthenticated POST request to /ToolPane.aspx with a Referer header pointing to /layouts/SignOut.aspx, SharePoint treats the session as authenticated. This critical bypass enables remote attackers to send administrative-level payloads without prior authentication.
  2. Stealth Web Shell Deployment: Leveraging the bypass, attackers upload a malicious web shell (typically named spinstall0.aspx) directly into the SharePoint LAYOUTS directory. This ASP.NET shell is intentionally quiet, designed solely to extract sensitive configuration values from the server without alerting standard AV heuristics or triggering outbound communication.
  3. .NET Reflection for Key Theft: Once in place, the shell executes .NET reflection commands targeting the System.Web.Configuration namespace. This enables direct extraction of the machineKey values (ValidationKey and DecryptionKey) from SharePoint’s web.config. These keys are foundational to the security of authentication cookies and ViewState integrity.
  4. Signed ViewState RCE (CVE-2025-53770): With stolen keys, attackers craft malicious payloads using ysoserial.net and sign them to appear legitimate. These payloads are embedded in ViewState parameters and submitted to endpoints like /success.aspx, enabling remote code execution under the SharePoint application pool identity. This grants system-level privileges within the IIS context.
  5. Lateral Movement & Escalation: Post-compromise, threat actors use tools like PowerShell, PsExec, and Windows Management Instrumentation (WMI) to move laterally. Credential dumping and access to Active Directory allow for widespread domain infiltration.
  6. Persistence Techniques: Even after patching, persistence remains if machine keys are not rotated. Attackers can reuse keys to forge authentication cookies and ViewState signatures. Some variants also drop scheduled tasks and secondary web shells.
  7. Obfuscation & Evasion: The tooling avoids typical malware behavior. Web shells are minimal and reside in trusted directories. PowerShell commands are encoded. Traffic is indistinguishable from regular SharePoint activity. Detection relies heavily on behavioural EDR and detailed IIS log analysis.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • 4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030
  • B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70
  • FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7
  • 390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E
  • 66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082

File Artifacts:

  • spinstall0.aspx, spinstall1.aspx, debug_dev.js in \LAYOUTS

Suspicious IPs:

  • 107.191.58.76
  • 104.238.159.149
  • 96.9.125.147
  • 139.144.199.41
  • 149.40.50.15

Defender Alerts:

  • Possible web shell installation
  • Suspicious IIS worker process behavior
  • SuspSignoutReq malware blocked

Mitigation and Prevention

User Awareness: Focus attention only on on-prem SharePoint. Online versions are not impacted.

Antivirus Protection: Deploy Microsoft Defender Antivirus with AMSI Full Mode enabled.

Two-Factor Authentication (2FA): Mandatory for all SharePoint and admin accounts.

Monitor Logs:

  • IIS POSTs to /ToolPane.aspx
  • GETs to spinstall0.aspx
  • Encoded PowerShell spawned by w3wp.exe

Regular Updates: Apply emergency patches:

  • KB5002768 – SharePoint Subscription Edition
  • KB5002754/2753 – SharePoint 2019
  • KB5002760/2759 – SharePoint 2016

MachineKey Rotation:

  • Use Set-SPMachineKey and Update-SPMachineKey
  • Restart IIS post-rotation
  • Enable auto-rotation in Subscription Edition 25H1

Risk Assessment

Severity: High to Critical – Exploitation enables full control over SharePoint and lateral domain movement.

Persistence: High – Theft of cryptographic material bypasses patching.

Scope: At least 100 servers compromised globally.

Conclusion

Organisations using on-prem SharePoint must act immediately:

  • Apply patches and rotate keys.
  • Enable AMSI Full Mode.
  • Deploy EDR (e.g., Defender for Endpoint).
  • Hunt for spinstall0.aspx and IIS anomalies.
  • Segment networks and restrict internet exposure.
  • Assume compromise if SharePoint was internet-facing pre-patch.

Failure to follow a full IR process and machine key invalidation risks persistent unauthorised access by state-linked actors.

Sources:

CISA - UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities

Microsoft - Customer guidance for SharePoint vulnerability CVE-2025-53770

ASD - Vulnerability in Microsoft Office SharePoint Server products

Trend Micro - SECURITY ALERT: Microsoft SharePoint On-prem Vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771)

OTX AlienVault - Indicators Of Compromise