\nOn July 19, 2025, a critical remote code execution (RCE) vulnerability (CVE-2025-53770, also referred to as ToolShell) was publicly disclosed, impacting on-premises Microsoft SharePoint Server installations. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely by leveraging insecure deserialization techniques. Given the platform\u2019s widespread use and exposure to the internet, the potential for compromise is substantial and growing, especially with confirmed active exploitation in the wild.<\/p>\n
## **Vulnerability Overview**<\/p>\n
CVE-2025-53770 targets Microsoft SharePoint via a flaw in **ViewState deserialization** , specifically triggered at the endpoint:<\/p>\n
`\/_layouts\/15\/ToolPane.aspx`<\/p>\n
By abusing the **Referer header** (pointing to `\/_layouts\/SignOut.aspx`) and uploading a crafted .aspx file (e.g., spinstall0.aspx), attackers can bypass authentication and execute remote payloads. Once executed, these payloads can extract **ASP.NET machine keys** (`ValidationKey` and `DecryptionKey`) from the server, enabling the creation of malicious `ViewState` data that the server will accept as legitimate.<\/p>\n
This vulnerability falls under \u201cOWASP A08:2021 \u2013 Software and Data Integrity Failures,\u201d specifically due to its insecure deserialization. The attack chain may also involve two auxiliary vulnerabilities: CVE-2025-49706 and CVE-2025-49704, which exacerbate the impact.<\/p>\n
CVE-2025-53770 is classified as a critical pre-authentication remote code execution vulnerability, with an estimated CVSS score of 9.8, reflecting its ease of exploitation, lack of required privileges, and severe potential impact.<\/p>\n
## **Exploitation in the Wild**<\/p>\n
### **Exploit Mechanics**<\/p>\n
The root cause lies in **insecure deserialization** via ViewState, specifically the injection of a malicious control such as:<\/p>\n
``<\/p>\n
This payload, when deserialized by SharePoint, leads to arbitrary code execution if the attacker already possesses machine keys. Below is a truncated exploit example via curl:<\/p>\n
`curl -sk -X POST ‘https:\/\/victim.com\/_layouts\/15\/ToolPane.aspx?DisplayMode=Edit&a=\/ToolPane.aspx’ -H ‘Referer: \/_layouts\/SignOut.aspx’ -H ‘Content-Type: application\/x-www-form-urlencoded’ –data-urlencode ‘MSOTlPn_Uri=https:\/\/malicious.com’ –data-urlencode ‘MSOTlPn_DWP=‘ `<\/p>\n
## **Wallarm Response and Observed Exploitation**<\/p>\n
Wallarm deployed detection rules shortly after disclosure to identify and block exploitation attempts of CVE-2025-53770. Within hours, Wallarm customers were protected. The rules detect crafted ViewState payloads and abnormal access to the vulnerable endpoint.<\/p>\n
<\/p>\n
Wallarm detected immediate spikes in exploit attempts following the public disclosure:<\/p>\n
<\/p>\n
These figures show rapid adoption of the exploit code by threat actors. Public repositories on GitHub have already published working proof-of-concept payloads, lowering the bar for exploitation even further.<\/p>\n
## Mitigation <\/p>\n
Wallarm recommends clients:<\/p>\n
* Patch affected SharePoint servers immediately
* Rotate ASP.NET cryptographic keys
* Inspect systems for indicators of compromise
* Isolate public-facing SharePoint instances if unpatched<\/p>\n
This layered defense ensures both proactive mitigation and forensic readiness.<\/p>\n
## **Conclusion**<\/p>\n
CVE-2025-53770 is an example of the critical risks posed by pre-authentication RCE vulnerabilities in widely exposed platforms like Microsoft SharePoint. While patching and key rotation are essential, they alone are not sufficient to defend against rapidly evolving threats.<\/p>\n
A Web Application and API Protection (WAAP) solution is vital to a multilayered security strategy, providing virtual patching, real-time threat detection, and attack surface protection, especially during the high-risk period between disclosure and remediation. Wallarm\u2019s rapid response to this vulnerability illustrates how WAAP can effectively close the gap, blocking exploit attempts before they impact critical systems.<\/p>\n
### **Risk Summary**<\/p>\n
* Pre-auth RCE with high reliability
* Targets a widely-used enterprise collaboration platform
* Potential for data theft, lateral movement, and persistence<\/p>\n
### **Public Exposure: Shodan Insights**<\/p>\n
As of publication, **Shodan search results** show **16,405 internet-facing SharePoint instances** , many of which are likely vulnerable. This highlights the scale of exposure and the urgency of remediating public deployments.<\/p>\n
<\/p>\n
## **References**<\/p>\n
* NVD NIST: CVE-2025-53770
* Vendor Advisory: Microsoft Guidance
* https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770
* Security Research: GitHub Exploit Repository
* Exploit Payload: Example Payload<\/p>\n
The post ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) appeared first on Wallarm.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) Update ID WALLARMLAB:404FAFD231E5C37C2580D301BEEEFE3B Type wallarmlab Published 2025-07-25T14:17:00 Last Updated 2025-07-25T14:17:00 Security…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,13,7,11,5,105],"class_list":["post-8970","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n
ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8970\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) Update ID WALLARMLAB:404FAFD231E5C37C2580D301BEEEFE3B Type wallarmlab Published 2025-07-25T14:17:00 Last Updated 2025-07-25T14:17:00 Security...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8970\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-25T12:57:08+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)\",\"datePublished\":\"2025-07-25T12:57:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970\"},\"wordCount\":748,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8970#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970\",\"name\":\"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-25T12:57:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8970\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8970#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8970","og_locale":"en_US","og_type":"article","og_title":"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) - zero redgem","og_description":"Security Update News Update Information Title ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) Update ID WALLARMLAB:404FAFD231E5C37C2580D301BEEEFE3B Type wallarmlab Published 2025-07-25T14:17:00 Last Updated 2025-07-25T14:17:00 Security...","og_url":"https:\/\/zero.redgem.net\/?p=8970","og_site_name":"zero redgem","article_published_time":"2025-07-25T12:57:08+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8970#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8970"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)","datePublished":"2025-07-25T12:57:08+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8970"},"wordCount":748,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8970#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8970","url":"https:\/\/zero.redgem.net\/?p=8970","name":"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-25T12:57:08+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8970#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8970"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8970#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8970"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8970\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}