\nA critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, is under active exploitation in the wild. The vulnerability, with a CVSS score of 9.8, impacts on-premises SharePoint Server 2016, 2019, and Subscription Edition, and allows unauthenticated remote code execution (RCE). Microsoft issued patches as part of its July 2025 Patch Tuesday update, but attackers had already begun exploiting the flaw before a fix was available.<\/p>\n
CVE-2025-53770 has been observed in the wild as part of a broader exploit chain, often combined with spoofing or privilege escalation vulnerabilities to deploy web shells, harvest credentials, and maintain persistent access to compromised environments. Attackers\u2014including Linen Typhoon and Violet Typhoon, linked to China\u2014are actively targeting vulnerable organizations, including a US nuclear weapons agency.<\/p>\n
## **Understanding the Vulnerability**<\/p>\n
CVE-2025-53770 is a deserialization vulnerability in SharePoint that allows attackers to send crafted HTTP POST requests, often to legacy pages such as ToolPane.aspx, to trigger arbitrary code execution on the server. In many cases, attackers pair this flaw with older vulnerabilities such as CVE-2025-49704 and CVE-2025-49706 to bypass authentication and elevate privileges, in an exploit chain named ToolShell.<\/p>\n
Once access is gained, attackers often deploy web shells or steal the SharePoint machine key, allowing them to forge authentication tokens and maintain access even after initial entry points are patched.<\/p>\n
Due to the high value of SharePoint environments and their frequent exposure to the internet, this vulnerability poses a significant risk to enterprises that have not yet applied the necessary updates.<\/p>\n
## **What We\u2019ve Seen in Our Data**<\/p>\n
Imperva Threat Research is actively tracking exploitation attempts related to CVE-2025-53770 across our global network. While we continue to monitor the situation, early data shows that attackers are scanning and targeting SharePoint instances at increasing rates.<\/p>\n
In just one day, we observed over 60,000 attacks targeting thousands of sites, primarily in the gaming, business, and financial industries.<\/p>\n
In total, sites in 34 countries were targeted, although over 50% of attacks targeted US sites.<\/p>\n
These numbers are likely to grow. As proof-of-concept exploits become more widely available, threat actors will seek to compromise unpatched systems.<\/p>\n
In one example, the payload abuses System[.]DelegateSerializationHolder to hijack execution via a forged delegate. This delegate invokes System[.]Diagnostics[.]Process[.]Start() with a PowerShell command using -EncodedCommand. The PowerShell command runs ipconfig, base64-encodes the output, and sends it to a remote attacker-controlled server (hxxp:\/\/146.70.41.178:8000). The entire operation enables remote code execution and data exfiltration simply by deserializing the object, with no user interaction needed.<\/p>\n
## **Imperva Customers Are Protected**<\/p>\n
Imperva customers are protected against exploitation attempts targeting CVE-2025-53770 and related attack chains.<\/p>\n
Our Web Application Firewall (WAF) includes dedicated rules that detect and block malicious deserialization payloads and web shell behavior commonly associated with this vulnerability. Organizations using Imperva\u2019s application security solutions can remain confident that Imperva protects them against known exploit attempts targeting Microsoft SharePoint.<\/p>\n
## **Recommendations**<\/p>\n
Organizations running on-premises SharePoint servers should take immediate action:<\/p>\n
* Apply Microsoft\u2019s July 2025 patches for SharePoint Server 2016, 2019, and Subscription Edition.
* Review access logs for unusual activity targeting legacy pages such as ToolPane.aspx.
* Rotate machine keys and invalidate sessions if you suspect a compromise.
* Ensure WAF protections are up to date and actively monitoring SharePoint endpoints.<\/p>\n
As exploitation continues, it is critical for defenders to act quickly and proactively harden systems. Imperva will continue to monitor this vulnerability and update protections as new attack methods emerge.<\/p>\n
The post Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint appeared first on Blog.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint Update ID IMPERVABLOG:E64DDD0F9B535D727AC13B7433A1E97A Type impervablog Published 2025-07-23T21:17:04 Last Updated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,59,13,7,11,5],"class_list":["post-8831","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-impervablog","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8831\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint Update ID IMPERVABLOG:E64DDD0F9B535D727AC13B7433A1E97A Type impervablog Published 2025-07-23T21:17:04 Last Updated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8831\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-24T02:50:36+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint\",\"datePublished\":\"2025-07-24T02:50:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831\"},\"wordCount\":650,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"impervablog\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8831#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831\",\"name\":\"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-24T02:50:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8831\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8831#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8831","og_locale":"en_US","og_type":"article","og_title":"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint - zero redgem","og_description":"Security Update News Update Information Title Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint Update ID IMPERVABLOG:E64DDD0F9B535D727AC13B7433A1E97A Type impervablog Published 2025-07-23T21:17:04 Last Updated...","og_url":"https:\/\/zero.redgem.net\/?p=8831","og_site_name":"zero redgem","article_published_time":"2025-07-24T02:50:36+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8831#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8831"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint","datePublished":"2025-07-24T02:50:36+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8831"},"wordCount":650,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","impervablog","news","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8831#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8831","url":"https:\/\/zero.redgem.net\/?p=8831","name":"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-24T02:50:36+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8831#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8831"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8831#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Imperva Customers Protected Against Critical \u201cToolShell\u201d Zero\u2011Day in Microsoft SharePoint"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8831"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8831\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}