Full Report
Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in SharePoint Server via Path Traversal
## CVE Details
- CVE ID: CVE-2025-53770, CVE-2025-53771
- CVSS Score: N/A (Severity inferred as High due to RCE & active exploitation)
- CWE: Path Traversal (Implied)
## Affected Systems
- Products: SharePoint Server Subscription Edition, SharePoint Server 2016, SharePoint Server 2019
- Versions: All unpatched on-premises versions. (Note: SharePoint Online in Microsoft 365 is NOT affected.)
- Configurations: On-premises deployments.
## Vulnerability Description
CVE-2025-53770 and CVE-2025-53771 are path traversal vulnerabilities chaining into unauthenticated Remote Code Execution (RCE). These flaws are related to earlier vulnerabilities (CVE-2025-49704 / CVE-2025-49706) which required authentication to obtain a valid signature by extracting the `ValidationKey`. Attackers have successfully modified the exploitation method to eliminate the authentication requirement for obtaining a valid signature, leading directly to RCE without user credentials.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Due to the removal of the authentication requirement)
- Attack Vector: Network
## Impact
- Confidentiality: High (Implied due to RCE)
- Integrity: High (Implied due to RCE)
- Availability: High (Implied due to RCE)
## Remediation
### Patches
- Microsoft has released security updates for affected on-premises SharePoint products.
- Specific update mentioned for SharePoint Server 2016: KB5002760 ($ {link\_to\_KB5002760})
### Workarounds
1. **Rotate ASP.NET Machine Keys:** After applying patches, administrators must rotate their SharePoint Server ASP.NET machine keys to ensure existing signing keys potentially compromised during an attack are invalidated. This can be done manually via PowerShell or Central Admin ($ {link\_to\_key\_rotation\_guide}).
2. **Enable AMSI:** Ensure the Antimalware Scan Interface (AMSI) is turned on and correctly configured with the associated antivirus solution, as a secondary defense layer.
## Detection
- **Network/Signature Detection:**
- **Snort SID 65092:** Detects exploitation attempts related to the underlying vulnerability chain (CVE-2025-49704 context).
- **Snort SID 65183:** Detects the deployment of the webshell being used in active campaigns (ClamAV signature: Asp.Webshell.SharpyShell-10056352-3).
- **Endpoint/Behavioral Detection (Splunk examples):**
- Suspicious SharePoint requests targeting the vulnerable `ToolPane` endpoint.
- Patterns indicative of the authentication bypass seen in "ToolShell" campaigns.
- Post-exploitation behaviors: Malicious PowerShell execution originating from `w3wp.exe`, suspicious child processes spawned by `w3wp.exe`, and creation of `spinstall0.aspx` web shells.
## References
- Vendor Advisory: Microsoft Security Response Center (MSRC) guidance for CVE-2025-53770 ($ {link\_to\_MSRC\_guidance\_cve-2025-53770})
- CISA Alert: ($ {link\_to\_cisa\_alert})
- KB Article: KB5002760 ($ {link\_to\_KB5002760})
- Key Rotation Guide: ($ {link\_to\_key\_rotation\_guide})