Home / Blog / CVE-2025-53770 ToolShell
CVE-2025-53770 • CVE-2025-53771

ToolShell: The Zero-Day SharePoint RCE
That Shook Governments Worldwide

July 2025 12 min read By Boney Warikozi
CVSS 9.8 Critical Remote Code Execution Authentication Bypass Zero-Day Actively Exploited
⚠ Active Exploitation Warning

CVE-2025-53770 has been actively exploited in the wild since mid-July 2025. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. If you run on-premises SharePoint Server 2016, 2019, or Subscription Edition, apply Microsoft's emergency patch immediately.

Overview

On July 21, 2025, Microsoft disclosed a pair of critical zero-day vulnerabilities in on-premises Microsoft SharePoint Server, collectively named "ToolShell" by security researchers. The vulnerability chain — CVE-2025-53771 (authentication bypass) plus CVE-2025-53770 (unsafe deserialization) — allows a completely unauthenticated attacker to execute arbitrary code on vulnerable SharePoint servers with no credentials whatsoever.

Within hours of public disclosure, proof-of-concept exploits were circulating and active campaigns were detected targeting government ministries, financial institutions, healthcare networks, energy infrastructure, and enterprise environments across six continents. Censys estimated between 75 and 85 servers had been compromised in the first 48 hours alone.

Technical Details

ToolShell is a two-stage exploit chain. Understanding each stage is critical for building effective detections and remediation strategies.

Stage 1 — Authentication Bypass (CVE-2025-53771)

The first vulnerability targets SharePoint's ToolPane layout endpoint. An attacker sends a crafted HTTP POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit with a spoofed Referer header set to /_layouts/SignOut.aspx. SharePoint's authentication logic erroneously treats this request as an authenticated session, granting access to protected functionality without valid credentials.

HTTP Request (Stage 1 — Auth Bypass)
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit HTTP/1.1
Host: sharepoint.target.org
Referer: https://sharepoint.target.org/_layouts/SignOut.aspx
Content-Type: application/x-www-form-urlencoded

# Bypasses authentication — server treats request as authenticated

Stage 2 — Unsafe Deserialization RCE (CVE-2025-53770)

Once authentication is bypassed, the attacker delivers a malicious serialized .NET payload to SharePoint's deserialization endpoint. SharePoint fails to properly validate or sandbox the deserialized object graph, allowing the attacker's code to execute in the context of the SharePoint service account — which typically holds broad permissions on the host system.

Post-exploitation activity observed in confirmed intrusions includes:

  • Uploading persistent web shells (e.g., spinstall0.aspx) to the SharePoint web root
  • Stealing ASP.NET machine keys (ValidationKey, DecryptionKey) from web.config
  • Forging authentication tokens using stolen machine keys to forge ViewState
  • Deploying additional implants and backdoors for persistent access
  • Moving laterally to Active Directory and Azure AD-connected systems
Simplified Exploit Flow
# Conceptual representation — not a working exploit

1. bypass_auth("/_layouts/15/ToolPane.aspx?DisplayMode=Edit",
          referer="/_layouts/SignOut.aspx")

2. payload = build_deserialization_payload(
    command="cmd.exe /c whoami > C:\\inetpub\\wwwroot\\out.txt"
)

3. send_payload(authenticated_session, payload)
# => RCE achieved — SharePoint service account context

4. upload_webshell("spinstall0.aspx")
5. exfiltrate_machinekeys("web.config")
# => Persistent access + token forgery capability

Scope & Impact

Affected Versions: Microsoft SharePoint Server 2016, 2019, and Subscription Edition (on-premises only). SharePoint Online / Microsoft 365 is not vulnerable.

Sectors Targeted: Education, Finance, Government, Healthcare, Energy, Telecommunications, and large Enterprise environments. Nation-state threat actors were among the first identified exploiters.

The blast radius of a successful ToolShell compromise extends far beyond SharePoint itself. Since SharePoint servers are typically domain-joined and hold sensitive documents and credentials, a foothold here enables attackers to:

  • Access and exfiltrate classified documents, financial records, and PII
  • Pivot to Active Directory for domain-wide compromise
  • Deploy ransomware across the organization's file shares
  • Establish long-term persistent access using forged authentication tokens

Detection Strategies

Security teams should hunt for the following indicators of compromise and suspicious activity patterns in their SharePoint and IIS logs:

IIS / SharePoint Log Indicators (grep)
# Suspicious ToolPane.aspx POST requests
grep -i "ToolPane.aspx" access.log | grep "POST"

# SignOut.aspx in Referer header (unusual)
grep -i "SignOut.aspx" access.log | grep "Referer"

# Web shell file creation in SharePoint dirs
find /inetpub/wwwroot -name "*.aspx" -newer /tmp/baseline -ls

# MachineKey access in event logs
Get-WinEvent -LogName Security | Where-Object {$_.Message -like "*web.config*"}

SIEM Query (Splunk / Elastic)

Look for POST requests to the ToolPane endpoint combined with the spoofed Referer in your web logs:

Splunk SPL
index=iis_logs method=POST
cs_uri_stem="*ToolPane.aspx*"
cs_referer="*SignOut.aspx*"
| stats count by c_ip, cs_uri_stem, cs_referer, _time
| where count > 0

Remediation

✓ Patching — Highest Priority
  • Apply Microsoft's emergency security update released July 21, 2025 for SharePoint Server 2016, 2019, and Subscription Edition
  • Verify patch installation via Get-SPFarm | Select BuildVersion
  • Do not delay — this vulnerability is trivially exploitable with public PoC available
⚠ Immediate Mitigations (Pre-Patch)
  • Block external access — Restrict SharePoint to internal network only via firewall/WAF if patching is delayed
  • Inspect for web shells — Audit /inetpub/wwwroot/wss/VirtualDirectories/ for unexpected .aspx files
  • Rotate machine keys — If potentially exposed, regenerate ASP.NET ValidationKey and DecryptionKey in web.config
  • Enable enhanced logging — Capture full HTTP request headers (including Referer) in IIS logs
  • Deploy WAF rules — Block POST requests matching the ToolPane + SignOut pattern

Zero Trust Lens

ToolShell is a textbook example of why Zero Trust architecture matters. Traditional perimeter security models — "trust everything inside the firewall" — fail catastrophically when a single authentication bypass is all that separates an attacker from full code execution.

A Zero Trust architecture would have limited the blast radius in several ways:

  • Microsegmentation: SharePoint servers isolated in their own network segment — compromising one system doesn't grant free lateral movement
  • Least Privilege: SharePoint service accounts with minimal permissions — no domain admin, no broad file system access
  • Continuous Monitoring: Anomalous process creation or file writes on SharePoint servers detected and alerted in real time
  • mTLS / Identity Verification: Even internal services required to authenticate, limiting the value of forged tokens

Conclusion

CVE-2025-53770 "ToolShell" is one of the most severe vulnerabilities of 2025. Its combination of zero-click exploit complexity (no user interaction, no authentication), public PoC availability, and widespread targeting by nation-state actors makes it an immediate top priority for any organization running on-premises SharePoint.

The key lessons: patch aggressively, audit your SharePoint environment for signs of compromise (even if you believe you patched in time), rotate machine keys, and use this incident as a forcing function to accelerate your Zero Trust journey.

// References