Full Report
Two critical zero-day vulnerabilities in the Microsoft SharePoint Server environment, CVE-2025-53770 (9.8 CVSS score) and CVE-2025-53771 (6.5 CVSS score), are being actively exploited by threat actors to compromise vulnerable on-premises SharePoint servers.
Analysis Summary
# Vulnerability: Zero-Day Exploitation in Microsoft SharePoint Server
## CVE Details
- CVE ID: CVE-2025-53770
- CVSS Score: 9.8 (Critical)
- CWE: N/A
- CVE ID: CVE-2025-53771
- CVSS Score: 6.5 (Medium)
- CWE: N/A
## Affected Systems
- Products: Microsoft SharePoint Server
- Versions: Implicitly, vulnerable on-premises versions (Specific versions were not detailed in the context provided, but the context implies any version lacking the patch).
- Configurations: On-premises SharePoint servers.
## Vulnerability Description
Two critical zero-day vulnerabilities are present in Microsoft SharePoint Server. CVE-2025-53770 (Critical, RCE) and CVE-2025-53771 (Medium) are being actively exploited. Attackers use these flaws to compromise vulnerable on-premises environments. The exploitation path appears to involve requests to specific layout pages to trigger payload execution and RCE.
## Exploitation
- Status: **Exploited in the wild** (Both CVEs are being actively exploited)
- Complexity: Implied Low/Medium (Due to active exploitation and high CVSS score for CVE-2025-53770)
- Attack Vector: Network
## Impact
- Confidentiality: High (Implied by RCE capabilities used to "extract cryptographic keys")
- Integrity: High (Implied by RCE capabilities)
- Availability: High (Implied by control over the server)
## Remediation
### Patches
- **No specific patch details or version numbers were provided in the context.** Users must refer to the official Microsoft security bulletin corresponding to CVE-2025-53770 and CVE-2025-53771 for patching information.
### Workarounds
- No formal workarounds were detailed in the provided context.
## Detection
Attackers leverage specific HTTP request paths and user agents during exploitation phases.
- **Indicators of Compromise (IOCs):**
- **Malicious File Creation:**
- `C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx` (File created after encoded command run)
- `C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js` (File created after PowerShell command run)
- **HTTP Request Paths Used in Exploitation:**
- `/_layouts/15/ToolPane.aspx?DisplayMode=Edit`
- `/_layouts/15/ToolPane.aspx?a=/ToolPane.aspx`
- GET `/_layouts/15/spinstall0.aspx` (Accessing malicious ASPX file post-upload)
- **HTTP Header Referenced:**
- Referer: `/_layouts/SignOut.aspx`
- **User Agent String Observed (July 18 & 19, 2025):**
- `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0`
- URL-encoded version: `Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0`
- **Detection Methods and Tools:**
- Monitoring IIS/Application logs for the specific HTTP Request Paths listed above.
- Searching filesystem logs or endpoint detection systems for the creation of the malicious `.aspx` and `.js` files in the SharePoint `LAYOUTS` directory.
## References
- Vendor advisories are not linked in the provided text. Users must search for Microsoft Security Updates referencing CVE-2025-53770 and CVE-2025-53771.