CVE-2025-53770: Critical Unauthenticated RCE in Microsoft SharePoint

On July 19-20, 2025, Microsoft and CISA confirmed the active exploitation of CVE-2025-53770, a critical remote code execution (RCE) vulnerability in on-premises SharePoint Server environments [1]. Referred to by researchers as “ToolShell,” this exploit enables unauthenticated attackers to execute arbitrary commands and access sensitive configuration files by targeting the /ToolPane.aspx endpoint and bypassing authentication using crafted HTTP requests.

CVE-2025-53770 builds on two prior vulnerabilities (CVE-2025-49706 + CVE-2025-49704) and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects multiple SharePoint versions and is particularly dangerous due to its ease of exploitation, unauthenticated nature, and the privilege level it grants, often running commands under NT AUTHORITY\IUSR.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Microsoft SharePoint CVE-2025-53770 RCE Vulnerability Explained

CVE-2025-53770 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server 2016, 2019, and Subscription Edition. The vulnerability was discovered during active exploitation in July 2025 and later classified by Microsoft as a variant of the previously demonstrated ToolShell chain (CVE-2025-49706 + CVE-2025-49704) revealed at Pwn2Own Berlin.

The vulnerability allows attackers to send a specially crafted HTTP POST request to the following endpoint:

The request includes a Referer header pointing to 

This bypasses authentication and SharePoint's form digest validation. 

As a result, the server treats the request as legitimate and processes it under an unauthenticated context.

Once exploited, attackers can:

• Write malicious .aspx files to disk (e.g., spinstall0.aspx)

• Extract cryptographic secrets such as the SharePoint ValidationKey

• Craft valid, signed __VIEWSTATE payloads

• Achieve full remote code execution using tools like ysoserial

Microsoft confirmed exploitation in the wild and assigned CVE-2025-53770 on July 20, 2025.

How does the CVE-2025-53770 RCE Exploit Works?

CVE-2025-53770 is part of an unauthenticated exploit chain targeting on-premises Microsoft SharePoint Servers. It leverages flaws in how SharePoint handles authentication and deserialization, resulting in full remote code execution without requiring valid credentials.

The exploitation consists of three distinct stages:

1. Authentication Bypass via ToolPane.aspx

The attack begins with an HTTP POST request to SharePoint’s legacy WebPart editor endpoint:

What makes this request dangerous is its forged Referer header:

This header tricks SharePoint into skipping authentication and form digest checks, likely due to how the platform validates trusted internal workflows. As a result, the attacker is treated as an authenticated user, even though no credentials were supplied.

2. Deployment of a Malicious ASPX File

Once inside, the attacker uploads a malicious .aspx file, typically named spinstall0.aspx,to the SharePoint layouts directory:

This file does not function as a traditional web shell. Instead, it is designed to extract cryptographic secrets from the server’s configuration, including:

• ValidationKey
• DecryptionKey
• Signing algorithm

These values are used by ASP.NET to validate and decrypt __VIEWSTATE payloads.

By leaking these secrets, the attacker gains the ability to generate their own signed payloads that SharePoint will accept and deserialize.

3. Remote Code Execution via Malicious __VIEWSTATE

With the stolen keys, the attacker crafts a signed, malicious __VIEWSTATE token using tools such as ysoserial.net. This payload embeds system commands (e.g., PowerShell), and is sent to another SharePoint page via a GET request:

Because the token is signed with the server’s actual keys, SharePoint accepts it and deserializes it during page processing. This leads to execution of the embedded command on the server.

Typical command chain observed:

This achieves full remote code execution under the application pool identity (NT AUTHORITY\IUSR), enabling file access, lateral movement, credential dumping, or persistence.

Mitigation Guidance

Microsoft and CISA recommend the following steps:

• Patch Immediately: Apply the July 2025 security updates for SharePoint 2019 and Subscription Edition [1].

• Enable AMSI in SharePoint: AMSI blocks payload execution when Defender AV is installed. Full Mode is recommended.

• Rotate Machine Keys: Run Update-SPMachineKey via PowerShell or trigger the Machine Key Rotation timer job in Central Admin.

• Deploy Microsoft Defender: For alerting and post-exploit detection.

• Isolate Public-Facing Servers: If AMSI cannot be enabled, disconnect vulnerable servers until patched.

How Picus Helps Simulate CVE-2025-53770 SharePoint RCE Attacks?

We also strongly suggest simulating the CVE-2025-53770 SharePoint RCE vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. 

You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for SharePoint CVE-2025-53770 RCE vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.

References

[1] “Customer guidance for SharePoint vulnerability CVE-2025-53770.” Available: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/. [Accessed: Jul. 21, 2025]