Full Report
Symantec products already block CVE-2025-53770 exploit attempts.
Analysis Summary
# Vulnerability: Microsoft SharePoint Remote Code Execution (ToolShell Variant)
## CVE Details
- CVE ID: CVE-2025-53770
- CVSS Score: (Score not explicitly provided, generally RCEs are High/Critical)
- CWE: (Not explicitly provided)
## Affected Systems
- Products: Microsoft SharePoint Server (On-premises)
- Versions: Unspecified vulnerable on-premises versions.
- Configurations: On-premises installations.
## Vulnerability Description
CVE-2025-53770, dubbed "ToolShell," is an unauthenticated remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint servers. Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely, leading to full access to the server's content and file systems. This vulnerability is reported to be a variant of a previously patched vulnerability, CVE-2025-49704.
## Exploitation
- Status: Exploited in the wild (Reported as an active zero-day attack)
- Complexity: Low (Due to unauthenticated RCE)
- Attack Vector: Network
## Impact
- Confidentiality: High (Access to all content and file systems)
- Integrity: High (Ability to execute code)
- Availability: High (Potential for denial of service or system compromise)
## Remediation
### Patches
- Microsoft has released guidance and patches. Specific patch versions are not listed here but are available via the standard Microsoft update channels referenced in the MSRC guidance.
### Workarounds
- No specific vendor workarounds were explicitly detailed in this summary beyond applying the patch guidance.
## Detection
- **Indicators of Compromise (IoCs):** Based on the description, IoCs would involve unusual process execution originating from SharePoint services, file system modification, or network activity attempting known exploitation patterns for this vulnerability class.
- **Detection Methods and Tools:** Symantec products (and potentially other security platforms) provide network protection signatures that block exploitation attempts, such as: `Web Attack: Microsoft SharePoint CVE-2025-49704` (Note: This signature is listed for the predecessor, but may cover the variant). Security teams should actively monitor Windows Event Logs and IIS logs for suspicious requests targeting SharePoint services.
## References
- Vendor Advisories:
- msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704