Full Report
Microsoft has disclosed two actively exploited zero-day vulnerabilities in on-premises SharePoint Server—CVE-2025-53770 (RCE via unsafe deserialization) and CVE-2025-53771 (authentication bypass via Referer header spoofing). These flaws form a chained exploit known as ToolShel...
Analysis Summary
# Vulnerability: Chained Exploitation of SharePoint Server (ToolShell)
## CVE Details
- CVE ID: CVE-2025-53770, CVE-2025-53771 (Chained)
- CVSS Score: Not explicitly provided in the text, but RCE/Auth Bypass implies Critical/High.
- CWE: Unsafe Deserialization (for RCE), Authentication Bypass (for Auth Bypass)
## Affected Systems
- Products: Microsoft on-premises SharePoint Server
- Versions: Specific vulnerable versions not detailed, but affects self-managed, on-prem instances.
- Configurations: Self-managed, on-premises installations.
## Vulnerability Description
Two zero-day vulnerabilities are chained to achieve unauthenticated Remote Code Execution (RCE):
1. **CVE-2025-53771 (Authentication Bypass):** Achieved via Referer header spoofing in a POST request directed at the SharePoint ToolPane endpoint, allowing an unauthenticated attacker to bypass initial checks.
2. **CVE-2025-53770 (RCE):** Once authenticated (via the bypass), the attacker submits a serialized payload which SharePoint deserializes without validation, leading to the deployment of an ASPX web shell (`spinstall0.aspx`). This shell is subsequently used to steal machineKeys to sign malicious ViewState payloads for arbitrary code execution.
## Exploitation
- Status: Exploited in the wild (as early as July 18, 2025).
- Complexity: Implies Medium/High, as it requires chaining two specific flaws and payload generation (e.g., using tools like `ysoserial`).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Web shell deployment allows subsequent data extraction, including machineKeys).
- Integrity: Critical (Arbitrary code execution).
- Availability: High (Potential for system takeover/disruption via RCE).
## Remediation
### Patches
- Microsoft issued emergency patches following the discovery of these bypasses in mid-July 2025.
- *Note: Specific patch KB numbers or versions are not provided in the source text, only that emergency patches were issued.*
### Workarounds
- No specific workarounds are explicitly detailed in the provided text, indicating immediate patching is the primary defense.
## Detection
- Indicators of Compromise: Deployment of the `spinstall0.aspx` web shell.
- Detection methods and tools: Monitor network traffic for POST requests targeting the SharePoint ToolPane endpoint with spoofed headers. Look for anomalous activity indicative of payload deserialization or subsequent web shell activity.
## References
- Vendor advisories: Microsoft Emergency Patch Disclosure (Mid-July 2025).
- Relevant links - defanged: hxxps://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-know