In July 2025, a critical zero-day vulnerability (CVE-2025-53770) was publicly disclosed, affecting Microsoft SharePoint Server. The flaw enables unauthenticated remote code execution (RCE), by chaining it with a related authentication bypass, CVE-2025-53771. Together, known as “ToolShell”, they allow attackers to gain full control of the server. SharePoint versions 2016, 2019, and Subscription Edition are affected, putting a wide range of enterprise deployments at risk.

Since mid-July, this vulnerability has been actively exploited in the wild by multiple threat actors, including groups believed to be affiliated with nation-state interests. To date, more than 85 SharePoint servers worldwide have reportedly been compromised, emphasizing the urgent need for organizations to implement available mitigations and apply emergency security patches without delay.

Technical Details (Deserialization, MachineKey Theft, and __VIEWSTATE Abuse)

CVE-2025-53770 is a bypass of a previously patched vulnerability (CVE-2025-49704) that was part of a chained unauthenticated RCE exploit demonstrated at Pwn2Own Berlin 2025. This original exploit chain also involved CVE-2025-53771, which bypasses an earlier patch (CVE-2025-49706) implementing authentication checks. In the original chain, researchers exploited logic flaws in SharePoint’s internal request handling to gain access to restricted endpoints. However, Microsoft’s introduced authentication checks were insufficient and could be bypassed under specific conditions.

The attack begins by leveraging CVE-2025-53771 to bypass Microsoft’s earlier authentication checks. The attacker sends a crafted HTTP POST request to the ‘/_layouts/15/ToolPane.aspx’ endpoint, with the Referer header set to ‘/_layouts/SignOut.aspx’, tricking SharePoint into treating the request as coming from a trusted source. This subtle bypass grants the attacker unauthenticated, but effectively privileged, access to protected functionality.

With this access, CVE-2025-53770 is then exploited to perform remote code execution via deserialization of the ‘__VIEWSTATE’ payload. The malicious actor abuses upload functionality to place a malicious .aspx web shell (typically named ‘spinstall0.aspx’) into the ‘LAYOUTS’ directory. This shell acts as a backdoor, enabling further interaction with the compromised server.

The next phase involves abusing ASP.NET’s ‘__VIEWSTATE’ mechanism.

‘__VIEWSTATE’ is a hidden field used by ASP.NET to maintain the state of a web page between requests. It is often serialized and cryptographically protected using machine-specific keys (‘ValidationKey’ and ‘DecryptionKey’) stored in the server’s configuration. These keys ensure that the ‘__VIEWSTATE’ cannot be tampered with or forged by an attacker.

However, once the web shell is in place, it is used to extract these machine-level keys from the SharePoint configuration. With access to these secrets, the attacker can generate a malicious ‘__VIEWSTATE’ payload containing a serialized .NET object, crafted using tools like ysoserial. This payload is signed and encrypted with the stolen keys, making it appear legitimate.

The final step involves submitting the malicious ‘__VIEWSTATE’ to a vulnerable endpoint that deserializes it without validation. Because the payload passes cryptographic checks, ASP.NET proceeds to deserialize and execute the attacker-controlled data, achieving full remote code execution within the application’s context.

Together, these two linked vulnerabilities form a complete unauthenticated RCE chain, with CVE-2025-53771 enabling unauthorized access and CVE-2025-53770 executing the malicious payload. Full technical details are outlined in BleepingComputer’s analysis.

Although public proof-of-concept (PoC) exploits for CVE‑2025‑53770 are now available, they should be reviewed carefully, as not all published PoCs are accurate or complete. When Microsoft published their customer guidance for CVE-2025-53770 on July 20, no PoC had been publicly confirmed. However, researchers from CODE WHITE GmbH had successfully reproduced the exploit chain by July 14 and shared their findings on X.

Impact Summary

CVE‑2025‑53770 enables full unauthenticated remote code execution in vulnerable SharePoint servers. By chaining  the authentication bypass (CVE‑2025‑53771) with insecure ‘__VIEWSTATE’ deserialization, attackers can take complete control of affected systems. Successful exploitation allows data exfiltration, deployment of persistent web shells, lateral movement, and even ransomware, all without valid credentials.

How to fix the vulnerability

Microsoft released security updates on July 19, 2025, addressing CVE-2025-53770 and CVE-2025-53771 for all supported SharePoint Server versions (2016, 2019 and Subscription Edition). Organisations must apply these updates immediately to prevent exploitation.

Enabling and configuring the Antimalware Scan Interface (AMSI) in Full Mode, alongside deploying Defender Antivirus across all SharePoint servers, is critical to blocking attack attempts. CISA additionally recommends deploying Endpoint Detection and Response (EDR) tools to detect post-exploitation activity, such as .dll payloads used to harvest machine keys.

After applying patches or enabling AMSI, it is essential to rotate the ASP.NET machine keys using PowerShell (‘Set-SPMachineKey’) or the Central Administration Machine Key Rotation job. Then, manually inspect ‘applicationHost.config’ and ‘web.config’ for any suspicious module entries, as malicious entries can persist and reload if IIS is restarted without cleanup. Complete the process by restarting IIS on all SharePoint servers.

If AMSI cannot be enabled promptly, Microsoft recommends disconnecting servers from the internet or restricting unauthenticated access via VPNs or authentication gateways until updates are applied. CISA also advises disconnecting unsupported or end-of-life SharePoint versions (such as SharePoint Server 2013) from public access, as they will not receive patches.

These measures collectively mitigate the risk of unauthenticated remote code execution and help protect sensitive SharePoint environments. For full guidance, see Microsoft’s official advisory here.

How can Sentrium help?

Sentrium offer vulnerability assessment and network penetration testing services that can support you in identifying vulnerable instances of SharePoint across your environments. Our skilled team of pentesters can attempt exploitation of these published vulnerabilities to check whether mitigations are effective, and provide further hardening recommendations to secure your sensitive SharePoint systems. Get in touch with our team to find out more about our services.