Full Report
Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. [...]
Analysis Summary
This is a summary of the vulnerabilities discussed in the provided article regarding Microsoft SharePoint RCE flaws.
# Vulnerability: SharePoint Remote Code Execution (RCE) Flaws Exploited in Attacks
## CVE Details
* **CVE ID:** Not explicitly detailed for specific CVEs in the provided text snippet, but multiple RCE flaws are referenced.
* **CVSS Score:** Not specified in the provided text. The severity is implied as being critical due to emergency patching and active exploitation.
* **CWE:** Not specified.
## Affected Systems
* **Products:** Microsoft SharePoint (On-Premises environments seem to be the focus, as patching steps involve IIS and on-premises servers).
* **Versions:** Specific vulnerable versions are not listed in the provided text, but the urgency implies supportable versions are at risk.
* **Configurations:** SharePoint servers running Microsoft IIS.
## Vulnerability Description
The vulnerability pertains to multiple Remote Code Execution (RCE) flaws in Microsoft SharePoint that were actively being exploited in the wild, necessitating emergency patching. Exploitation leads to the compromise of the affected server.
## Exploitation
* **Status:** **Exploited in the wild**. Immediate emergency patches were released due to active exploitation.
* **Complexity:** Not explicitly rated, but the fact that it required emergency patching suggests attack complexity may be low or medium enough for widespread abuse.
* **Attack Vector:** Likely Network/Remote, given RCE context in a web application environment.
## Impact
* **Confidentiality:** High (Implied due to RCE establishing persistence/data access).
* **Integrity:** High (Implied due to RCE allowing arbitrary code execution).
* **Availability:** High (Implied, as code execution can lead to service disruption or web shell installation).
## Remediation
### Patches
* **Action Required:** Apply the emergency patches released by Microsoft immediately. (The specific patch version is not detailed in the snippet but must be acquired via Microsoft updates).
### Workarounds
If patching is not immediately possible, the following steps constitute a complex workaround/cleanup process:
1. **Run Machine Key Rotation Job:** In the affected SharePoint farm, navigate to **Central Administration**.
2. Search for **"Machine Key Rotation Job"** and select **"Run Now."**
3. **Restart IIS:** After rotation completes, restart IIS on all SharePoint servers using `iisreset.exe`.
## Detection
Detection focuses on post-exploitation artifacts left behind by threat actors:
* **File Creation Indicators:** Look for the presence of the file: `C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx`.
* **Log Indicators:** Look for IIS logs showing:
* A **POST** request to `_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx`.
* An **HTTP Referer** of `_layouts/SignOut.aspx`.
* **Tools:** Microsoft 365 Defender query provided to specifically check for the suspicious `.aspx` file creation:
deviceFileEvents | where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS" | where FileName =~ "spinstall0.aspx" or FileName has "spinstall0" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc
* **Action upon Detection:** If the file or indicators are found, a full investigation of the breached server and network is required to check for lateral movement.
## References
* Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks (Source Article)
* Microsoft SharePoint zero-day exploited in RCE attacks, no patch available (Pre-patch status link)