Full Report
A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide. [...]
Analysis Summary
# Vulnerability: Microsoft SharePoint Zero-Day RCE Variant Exploited in the Wild
## CVE Details
- CVE ID: CVE-2025-53770
- CVSS Score: Not explicitly stated, but described as **critical** and actively exploited in Remote Code Execution (RCE) attacks.
- CWE: Relates to a variant of CVE-2025-49706 (part of the "ToolShell" chain).
## Affected Systems
- Products: Microsoft SharePoint Server (on-premises only). *Note: Does not impact Microsoft 365.*
- Versions: SharePoint Server 2016, 2019, and Subscription Edition (unspecified vulnerable versions, consistent with prior patched vulnerabilities).
- Configurations: On-premises deployments.
## Vulnerability Description
CVE-2025-53770 is a critical zero-day vulnerability in Microsoft SharePoint, described as a variant of CVE-2025-49706. Attackers, leveraging a chain involving this flaw (similar to the Pwn2Own "ToolShell" combination of CVE-2025-49706 and CVE-2025-49704), can achieve unauthenticated Remote Code Execution (RCE). Exploitation involves uploading a malicious file (`spinstall0.aspx`) to steal configuration material, specifically the SharePoint server's `ValidationKey` and `DecryptionKey` used for cryptographically signing `__VIEWSTATE` payloads. With this key, attackers can craft valid, signed payloads to achieve RCE on the server when deserialized.
## Exploitation
- Status: **Exploited in the wild** (Active attacks observed since at least July 18th, with over 85 servers compromised as of report time).
- Complexity: Implied **Low** (Unauthenticated RCE, weaponized shortly after public demonstrations).
- Attack Vector: **Network** (Unauthenticated attack).
## Impact
- Confidentiality: **High** (Ability to steal critical cryptographic keys).
- Integrity: **High** (Potential for arbitrary code execution).
- Availability: **High** (Server compromise leads to service disruption).
## Remediation
### Patches
- **None available at the time of the advisory.** Microsoft is working on a security update to be released ASAP.
### Workarounds
1. **Enable AMSI Integration:** Ensure the Antimalware Scan Interface (AMSI) integration is enabled in SharePoint. This is enabled by default for SharePoint Server 2016/2019 since September 2023 updates and for Subscription Edition with the Version 23H2 update.
2. **Deploy Defender AV:** Deploy Microsoft Defender Antivirus on all SharePoint servers.
3. **Server Isolation (If AMSI cannot be enabled):** Disconnect SharePoint servers from the internet until a security update is released.
## Detection
- **File System IOC:** Check for the existence of the malicious file: `C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx`.
- **Behavioral IOC (IIS Logs):** Look for suspicious POST requests to `_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with an HTTP referer of `_layouts/SignOut.aspx`.
- **Network IOCs (Source IPs):** Monitor traffic from observed attacker IPs:
- `107.191.58[.]76`
- `104.238.159[.]149`
- `96.9.125[.]147`
- **M365 Defender Query:** Use the provided KQL query to search for the artifact in device file events:
kql
eviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx" or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
- **Action:** If any IOCs are confirmed, assume compromise and immediately take the server offline for forensic investigation.
## References
- Vendor Advisory (Microsoft Security Response Center): `http://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770`
- Initial Disclosure/Analysis: `https://research.eye.security/sharepoint-under-siege/`
- Context on Prior Flaws: `https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706`
- Context on Prior Flaws: `https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704`
- Pwn2Own Details: `https://x.com/codewhitesec/status/1944743478350557232`