On 19 July 2025, Microsoft disclosed active exploitation of a zero-day vulnerability (CVE-2025-53770) affecting on-premises SharePoint Server instances. Originally, no patch was available for this vulnerability, but fixes were released late on the evening of 20 July. CVE-2025-53770 is caused by the deserialisation of untrusted data, allowing unauthenticated threat actors to execute code remotely over the network. It is a variant of CVE-2025-49706, a medium-severity flaw addressed in Microsoft’s July Patch Tuesday update. SharePoint Online in Microsoft 365 is not affected by this vulnerability.
Independent reporting has identified exploitation affecting a number of organisations across government agencies, multinational corporations, and organisations in the banking sector. Arctic Wolf observed exploitation attempts involving CVE-2025-53770 starting on 18 July 2025. CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog on 20 July 2025, with a patching deadline of July 21, 2025 for all U.S. federal agencies.
In environments where Microsoft Defender for Endpoint was enabled, related activity was detected and blocked, preventing further analysis of the attempted exploitation. Additionally, Arctic Wolf was able to detect and alert on post-exploitation activities associated with this campaign through Arctic Wolf Agent and Sysmon. Arctic Wolf will continue to alert newly observed instances of malicious activity in this campaign through the Managed Detection and Response service.
In Microsoft’s original guidance, while no patch was available at the time of disclosure, they recommended configuring the Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Microsoft Defender Antivirus (Defender AV) across all SharePoint servers to block unauthenticated threat actors from exploiting CVE-2025-53770.
Exploitation Details
The first public reporting on this activity was published by Eye Security, which, on the evening of 18 July began investigating what they initially believed to be exploitation of CVE-2025-49704 and CVE-2025-49706. These vulnerabilities were originally discovered during the Pwn2Own 2025 competition in May and are referred to collectively as “ToolShell.” Further investigation revealed the observed behavior was actually tied to a previously unknown zero-day vulnerability—later assigned CVE-2025-53770 by Microsoft. Shortly after, Palo Alto Networks’ Unit 42 reported similar activity involving these vulnerabilities, with similar post-exploitation activities to the original reporting by Eye Security.
In Eye Security’s research, threat actors targeted internet-exposed, on-premises SharePoint servers by sending crafted POST requests to the /_layouts/15/ToolPane.aspx endpoint, using a spoofed Referer header set to /layouts/SignOut.aspx to bypass authentication. Once access was obtained, they deployed a malicious ASPX implant (spinstall0.aspx) to extract cryptographic secrets—specifically the MachineKey and ValidationKey used to protect ASP.NET’s __VIEWSTATE. With these keys, the threat actors used the Ysoserial tool to generate forged, signed __VIEWSTATE payloads, enabling remote code execution and persistent access without needing valid credentials.
- Specifically, use of the /layouts/SignOut.aspx Referer seems to be the key that made the existing bug in CVE-2025-49706 exploitable without authentication, effectively making it a new vulnerability (CVE-2025-53770). This timing coincided with a security researcher posting on X in the early morning of July 18, demonstrating that using /layouts/SignOut.aspx as the Referer header could bypass authentication.
Recommendations CVE-2025-53770
Upgrade to the Latest Fixed Version
Arctic Wolf strongly recommends that customers immediately upgrade to the latest fixed versions of SharePoint.
| Affected Product | Security Update Link |
| Microsoft SharePoint Server Subscription Edition | Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center |
| Microsoft SharePoint Server 2019 | Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002754) from Official Microsoft Download Center |
| Microsoft SharePoint Server 2016 | Not yet available. Microsoft is currently developing security updates for all supported versions of SharePoint, and recommends monitoring their blog post for the latest updates. |
Note: SharePoint Online in Microsoft 365 is not impacted by CVE-2025-53770.
Enable AMSI Integration
If you are running a publicly exposed, on-premises instance of Microsoft SharePoint and have Defender AV installed, Arctic Wolf strongly recommends enabling AMSI integration in SharePoint and ensuring Defender AV is deployed across all SharePoint servers.
- According to Microsoft, this mitigation will block unauthenticated threat actors from exploiting CVE-2025-53770.
Disconnect On-Premises SharePoint Servers from the Public Internet
For customers unable to upgrade to the fixed version of SharePoint or apply AMSI (e.g., those not using Defender AV), Microsoft recommends disconnecting the server from the internet until a security update can be applied.
Rotate SharePoint Server ASP.NET Machine Keys
If your organisation was running a publicly exposed, on-premises instance of Microsoft SharePoint over the weekend, it is likely your SharePoint instance was compromised. By exploiting CVE-2025-53770, threat actors can obtain encryption keys, allowing them to maintain access even if a web shell is removed. As a result, simply removing malicious artifacts may not fully eliminate the threat. If compromise is detected, isolate the impacted server and rotate the SharePoint MachineKey to revoke the threat actor’s access.
Install Arctic Wolf Agent & Sysmon
- Arctic Wolf Agent and Sysmon give Arctic Wolf visibility into network and endpoint events needed to identify tools, techniques, and tactics involved in this campaign.
- For instructions on how to install Arctic Wolf Agent, see the below install guides:
- If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
References
