Microsoft SharePoint On-Premise Vulnerability (CVE-2025-53770) Under Active Exploitation (CVSS 9.8)

Estimated reading time: 15 minutes

**Key Takeaways:**

  • CVE-2025-53770 is a critical zero-day vulnerability in Microsoft SharePoint Server, allowing unauthenticated remote code execution.
  • Affected systems include SharePoint Server 2016, 2019, and Subscription Edition (SE) on-premises versions.
  • Exploitation involves a deserialization flaw within the ToolPane interface, bypassing previous security measures.
  • Mitigation steps include applying emergency security updates, enhancing security monitoring, and rotating ASP.NET MachineKeys.
  • Observed post-exploitation activities include deploying web shells and extracting ASP.NET MachineKey secrets.

Table of Contents:

A critical zero-day vulnerability, identified as CVE-2025-53770, has been discovered in Microsoft SharePoint Server, impacting multiple on-premises versions. This vulnerability allows unauthenticated remote code execution and is currently being actively exploited in the wild.

CVE-2025-53770: Microsoft SharePoint Server Vulnerability Details

The vulnerability, CVE-2025-53770, poses a significant risk as it enables unauthenticated remote code execution via a deserialization flaw within the ToolPane interface. This allows attackers to execute arbitrary code on affected systems without requiring any user credentials. This issue is a variant of the ToolShell exploit chain (CVE-2025-49706 and CVE-2025-49704), effectively bypassing previous security measures implemented in July 2025.

Affected Systems

The following Microsoft SharePoint on-premises versions are affected:

  • SharePoint Server 2016 builds earlier than 16.0.5508.1000 (KB5002760)
  • SharePoint Server 2019 builds earlier than 16.0.10417.20027 (KB5002754)
  • SharePoint Server Subscription Edition (SE) builds earlier than 16.0.18526.20424 (KB5002768)

Technical Analysis

The technical basis of CVE-2025-53770 lies in a .NET deserialization flaw within Microsoft SharePoint Server. This vulnerability permits unauthenticated remote code execution through the improper handling of serialized data directed to the _/\_layouts/15/ToolPane.aspx_ endpoint. This endpoint, when accessed with a specially crafted HTTP request, triggers the vulnerability.

An attacker can exploit this by sending a malicious HTTP POST request to the _/\_layouts/15/ToolPane.aspx?DisplayMode=Edit_ endpoint with the Referer header set to _/\_layouts/SignOut.aspx_. This action initiates server-side logic that deserializes untrusted input. The attacker injects a malformed .NET serialized object, typically crafted using tools like ysoserial.net, into the request body. Upon deserialization by SharePoint’s backend components, this results in arbitrary code execution within the context of the SharePoint service account.

This vulnerability bypasses existing security patches by exploiting a different logical path involving _SignOut.aspx_ as a misleading referrer, making it a particularly dangerous variant of the ToolShell exploit chain.

Post-Exploitation Activities

Following a successful exploit, attackers have been observed engaging in the following activities:

  • Deploying web shells, such as spinstall0.aspx, to maintain persistent access.
  • Extracting ASP.NET MachineKey secrets, which allows for long-term persistence and potential access resale.

Indicators of Compromise (IOCs)

Identifying potential compromises involves examining file-based and log-based IOCs, as well as monitoring network traffic for malicious IP addresses.

File-Based IOCs:

  • Presence of spinstall0.aspx in “\\TEMPLATE\\LAYOUTS\\”.
  • Unexpected .aspx or .ashx files in SharePoint virtual directories.

Log-Based IOCs:

  • POST requests to: _/\_layouts/15/ToolPane.aspx?DisplayMode=Edit_ with _Referer: /\_layouts/SignOut.aspx_.

Known Malicious IP Addresses:

  • 107.191.58[. ]76
  • 104.238.159[. ]149
  • 96.9.125[. ]147

Defender AV/EDR Alerts:

  • Exploit:Script/SuspSignoutReq.A
  • Trojan:Win32/HijackSharePointServer.A
  • Possible web shell installation
  • Possible exploitation of SharePoint server vulnerabilities
  • Suspicious IIS worker process behavior
  • ‘SuspSignoutReq’ malware was blocked on a SharePoint server
  • ‘HijackSharePointServer’ malware was blocked on a SharePoint server

Vulnerability Detection

The vulnerability can be identified using vulnerability scanners with the following modules:

  • Qualys QID: 110501
  • Nessus Plugin ID: 242415

Mitigation and Recommendations

To mitigate the risk posed by CVE-2025-53770, organizations should take immediate action by applying security updates, enhancing security monitoring, and implementing preventative measures.

1. Apply Emergency Security Updates

Microsoft has released out-of-band patches for the affected SharePoint Server versions:

2. Enable/Verify AMSI & Defender Antivirus

  • Ensure that Antimalware Scan Interface (AMSI) is enabled.
  • Verify that an appropriate AV/EDR solution is deployed and functioning correctly.

3. Rotate ASP.NET MachineKeys

Follow Microsoft’s guide on rotating ASP.NET MachineKeys:

Improved ASP.NET view state security and key management – SharePoint Server | Microsoft Learn

4. Incident Detection and Response

  • Review IIS and ULS logs for activity matching the IOCs provided.
  • Hunt for newly created files or suspicious modules loaded by the w3wp.exe process.

Adversary Infrastructure and Indicators Behind the SAP NetWeaver 0-Day Exploitation – CVE-2025-31324

A previously unknown vulnerability was identified as CVE-2025-31324 in SAP NetWeaver Visual Composer being exploited in the wild, targeting exposed enterprise systems. The vulnerability allowed unauthenticated attackers to upload malicious JSP files and gain remote code execution. While technical details of the vulnerability have already been thoroughly documented elsewhere, this article focuses on a different aspect of the event: the observable indicators and adversary infrastructure used during the exploitation window.

The exploitation infrastructure included IP Addresses:

  • 184.174.96[. ]67
  • 184.174.96[. ]74
  • 88.119.174[. ]107
  • 177.54.223[. ]24
  • 180.131.145[. ]73

Domains include:

  • officetoolservices[. ]com
  • networkmaintenanceservice[. ]com
  • misctoolsupdate[. ]com
  • leapsummergetis[. ]com
  • onlinenetworkupdate[. ]com

Ivanti EPMM Bugs Combine for Unauthenticated RCE in the Wild – CVE-2025-4427, CVE-2025-4428

On March 13, Ivanti disclosed two vulnerabilities which a ect their on-premise Endpoint Manager Mobile product: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (an authenticated RCE vulnerability). While neither bug is critically severe on its own, with CVSS scores of 5.3 and 7.2, when chained together they provide a route for an unauthenticated remote attacker to execute malicious code on affected EPMM instances. Ivanti has confirmed limited in-the-wild exploitation of these bugs prior to initial disclosure, and multiple external sources including GreyNoise and Wiz have since confirmed ongoing in-the-wild exploitation starting on May 16, roughly coinciding with the public release of proof-of-concept code.

Affected Systems and/or Applications include Ivanti Endpoint Manager Mobile, of the following versions:

  • 11.12.0.4 and prior
  • 12.3.0.1 and prior
  • 12.4.0.1 and prior
  • 12.5.0.0 and prior

Mitigation can be achieved by patching your EPMM instance to one of the following versions:

  • 11.12.0.5
  • 12.3.0.2
  • 12.4.0.2
  • 12.5.0.1

Until patches are applied, restrict network access to the endpoints a ected by the authentication bypass, /rs/api/v2/* and /mifs/rs/api/v2/*.

WinRAR Zero-Day Exploited in Espionage Attacks Against High-Value Targets – CVE-2025-8088

ESET researchers have uncovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. Tracked as CVE-2025-8088, the path traversal flaw affects WinRAR’s Windows version and lets threat actors execute arbitrary code by crafting malicious archive files.

If you use WinRAR, you should update to the tool’s latest version ( version 7.13) as soon as possible, if you haven’t already.

This campaign targeted financial, manufacturing, defense, and logistics companies in Europe and Canada.

Files used to conduct attacks using CVE-2025-8088 include:

  • 371A5B8BA86FBCAB80D4E0087D2AA0D8FFDDC70B – Adverse_Effect_Medical_Records_2025.rar
  • D43F49E6A586658B5422EDC647075FFD405D6741 – cv_submission.rar
  • F77DBA76010A9988C9CEB8E420C96AEBC071B889 – Eli_Rosenfeld_CV2 – Copy (10).rar
  • 676086860055F6591FED303B4799C725F8466CF4 – Datos adjuntos sin título 00170.dat
  • 1F25E062E8E9A4F1792C3EAC6462694410F0F1CA – JobDocs_July2025.rar
  • C340625C779911165E3983C77FD60855A2575275 – cv_submission.rar
  • C94A6BD6EC88385E4E831B208FED2FA6FAED6666 – Recruitment_Dossier_July_2025.rar
  • 01D32FE88ECDEA2B934A00805E138034BF85BF83 – install_module_x64.dll
  • AE687BEF963CB30A3788E34CC18046F54C41FFBA – msedge.dll
  • AB79081D0E26EA278D3D45DA247335A545D0512E – Complaint.exe
  • 1AEA26A2E2A7711F89D06165E676E11769E2FD68 – ApbxHelper.exe

Network infrastructure used to conduct attacks using CVE-2025-8088 include:

  • 162.19.175[. ]44 – gohazeldale[. ]com
  • 194.36.209[. ]127 – srlaptop[. ]com
  • 85.158.108[. ]62 – melamorri[. ]com
  • 185.173.235[. ]134 – campanole[. ]com

Practical Takeaways

For Technical Readers:

  • **Patch Management:** Prioritize patching systems, especially Microsoft SharePoint Server, Ivanti EPMM, and WinRAR, based on the vulnerabilities discussed. Utilize vulnerability scanners to identify affected systems.
  • **IOC Monitoring:** Implement monitoring for the listed Indicators of Compromise (IOCs) within your SIEM or monitoring tools. This includes file-based IOCs, log-based IOCs, and malicious IP addresses.
  • **EDR/AV Configuration:** Ensure that Endpoint Detection and Response (EDR) and Antivirus (AV) solutions are properly configured and updated with the latest threat intelligence.
  • **Log Analysis:** Regularly review IIS and ULS logs for any suspicious activity, especially those matching the provided IOCs.
  • **Network Segmentation:** Implement network segmentation to limit the lateral movement of attackers within the network.

For Non-Technical Readers (Business Leaders):

  • **Resource Allocation:** Ensure adequate resources are allocated to cybersecurity, including personnel and budget.
  • **Policy Review:** Review and update cybersecurity policies to reflect the current threat landscape.
  • **Training:** Provide regular cybersecurity awareness training to employees to help them identify and avoid phishing attacks and other threats.
  • **Risk Assessment:** Conduct regular risk assessments to identify vulnerabilities and prioritize mitigation efforts.
  • **Incident Response Plan:** Develop and maintain an incident response plan to effectively manage and contain any security incidents.

The current threat environment requires a proactive approach to security. Timely patching, continuous monitoring, and employee training are vital to defend against new and existing threats.

PurpleOps offers a suite of services designed to help organizations stay ahead of emerging cyber threats, including:

Stay informed about new vulnerabilities and attack vectors by leveraging services like cyber threat intelligence platform, dark web monitoring service, and supply-chain risk monitoring.

Consider implementing breach detection and real-time ransomware intelligence solutions to detect and mitigate threats quickly.

Use underground forum intelligence, telegram threat monitoring and brand leak alerting to stay on top of any potential threats.

To learn more about how PurpleOps can help protect your organization from cyber threats, visit our website at https://www.purple-ops.io/platform/ or PurpleOps Solutions for a consultation.

FAQ