Full Report
Cybereason is actively investigating exploitation attempts of these vulnerabilities. Check the Cybereason blog for additional updates. Key Takeaways Two zero-day vulnerabilities discovered in on-premise Microsoft SharePoint servers, tracked as CVE‑2025‑53770 and CVE‑2025‑53771. Affected versions include: Subscription Edition – KB5002768, SharePoint 2019 – KB5002754, SharePoint 2016 – KB5002760. If exploited, these vulnerabilities could allow for remote code execution (RCE). Cybereason has observed ongoing active exploitation attempts of these vulnerabilities through our Global SOC monitoring. With this exploit, we recommend taking an “assume compromised” posture, immediately patching impacted versions, and conducting incident response historical look back.
Analysis Summary
# Vulnerability: Active Zero-Day Exploitation in Microsoft SharePoint RCE Chain
## CVE Details
- CVE ID: CVE-2025-53770 (Primary RCE vector)
- CVSS Score: 9.8 (Critical)
- CWE: Not specified in the provided context, but strongly implied to be related to insecure deserialization or authentication bypass leading to RCE.
## Affected Systems
- Products: Microsoft SharePoint Server
- Versions:
* Subscription Edition (Patch KB5002768)
* SharePoint 2019 (Patch KB5002754)
* SharePoint 2016 (Patch KB5002760)
- Configurations: On-premise installations.
## Vulnerability Description
Two related zero-day vulnerabilities, CVE-2025-53770 (Critical) and CVE-2025-53771 (High), exist in on-premise Microsoft SharePoint servers. When chained together or leveraged individually (CVE-2025-53770 being the more critical component), they allow an unauthorized remote user to achieve Remote Code Execution (RCE) over the network. These flaws appear to bypass mitigations implemented for earlier vulnerabilities (CVE-2025-49706 and CVE-2025-49704, known as "ToolShell").
## Exploitation
- Status: **Exploited in the wild** (Observed by Cybereason Global SOC monitoring). CVE-2025-53770 is listed on CISA's Known Exploited Vulnerabilities catalog.
- Complexity: Implied to be low enough for multiple threat actors (including China-linked groups like Linen Typhoon, Violet Typhoon, and Storm-2603) to leverage rapidly after discovery.
- Attack Vector: Network (Remote Code Execution).
## Impact
- Confidentiality: High (Likely, based on RCE capability)
- Integrity: High (Likely, based on RCE capability and subsequent webshell installation)
- Availability: High (Likely, based on RCE capability and potential disruption)
## Remediation
### Patches
Immediate patching is strongly recommended.
* **SharePoint Server Subscription Edition:** KB5002768
* **SharePoint 2019:** KB5002754
* **SharePoint 2016:** KB5002760 (Note: Patches were released for Subscription Edition and 2019 on July 20, 2025, with 2016 patches developing around that time.)
### Workarounds
Given the active exploitation, an "assume compromised" posture is advised:
1. **If patches cannot be applied immediately, disconnect public-facing SharePoint servers from the internet** until remediation is complete.
2. **Enable Antimalware Scan Interface (AMSI)** on all SharePoint servers (if using a Microsoft Client).
3. **Install Microsoft Defender for Endpoint/Antivirus** (or equivalent) on all SharePoint servers.
4. **Add IPS/WAF signatures to block exploit**: Specifically target POST requests to `ToolPane.aspx` with matching Referers as an intermittent stop gap.
## Detection
If exploitation is suspected or confirmed:
* **Incident Response Posture:** Assume compromised and conduct a historical look back immediately.
* **File System Indicators:** Scan for newly created or suspicious **.aspx webshells** (e.g., `spinstall0.aspx`) in the `\layouts` folder.
* **Process Monitoring:** Investigate process chains where **w3wp.exe** spawns **cmd.exe** followed by **encoded PowerShell** scripts.
* **Logging Enhancement:** Enhance IIS, Sysmon, and Windows Event logging to detect abnormal POST requests and new file writes under the `layouts` directory.
* Engage an incident response team for thorough investigation and threat actor ejection confirmation.
## References
- Cybereason Blog (For active updates)
- Microsoft Update Guide CVE-2025-53770 (defanged: `https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770`)
- Microsoft Update Guide CVE-2025-53771 (defanged: `https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771`)
- NVD CVE-2025-53770 (defanged: `https://nvd.nist.gov/vuln/detail/CVE-2025-53770`)
- NVD CVE-2025-53771 (defanged: `https://nvd.nist.gov/vuln/detail/CVE-2025-53771`)