CISA adds CVE-2025-53770 SharePoint Vulnerability to KEV

---

Summary

A critical remote code execution (RCE) vulnerability has been discovered in Microsoft SharePoint Server (on-premises versions only). The vulnerability, tracked as CVE-2025-53770, allows unauthenticated attackers to execute arbitrary commands on vulnerable servers, gaining complete control over the SharePoint environment and its underlying operating system.

This security flaw is actively being exploited in-the-wild, and organizations with exposed SharePoint servers are urgently advised to take remediation actions.

Technical Overview

❗ Vulnerability: CVE-2025-53770

• Type: Remote Code Execution (RCE)
• CVE ID: CVE-2025-53770
• Attack Vector: Network-based (unauthenticated access possible)
• Exploit Type: Deserialization of untrusted data in SharePoint’s .NET components
• Affected Products:
• SharePoint Server 2016
• SharePoint Server 2019
• SharePoint Server Subscription Edition (SE)

💡 Note: SharePoint Online (Microsoft 365 cloud version) is not affected.

👨‍💻 How the Exploit Works

Attackers leverage flaws in SharePoint’s deserialization functionality to:

• Upload a rogue .aspx page (often named spinstall0.aspx) directly to the SharePoint server.
• Trigger command execution through specially crafted POST requests — often targeting endpoints such as:
• /ToolPane.aspx
• /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx

In many cases, the exploit is chained with malicious VIEWSTATE payloads to execute arbitrary .NET code on the SharePoint server.

What Happens if Exploited

Once compromised, attackers can:

1. Execute arbitrary shell commands (i.e., reverse shells, PowerShell scripts).
2. Upload further web shells or malware (e.g., Cobalt Strike beacons).
3. Exfiltrate confidential documents stored within SharePoint.
4. Extract cryptographic keys used within the SharePoint farm.
5. Move laterally within the organization’s network (post-exploitation phase).

Indicators of Compromise (IOCs)

Also monitor for:

• Unusual access to /_layouts/15/ToolPane.aspx
• Elevated CPU/memory use on SharePoint W3WP processes
• Microsoft Defender detections tied to AMSI events

Mitigation & Remediation Steps

1. Apply Security Updates Immediately

• Microsoft has released a patch (KB5002768) as part of July 2025 Patch Tuesday.
• Currently, the patch is available only for SharePoint Server SE (Subscription Edition).
• Patches for SharePoint 2016 and 2019 are expected soon — monitor the Microsoft Security Advisory site for updates.

2. Enable Security Features (AMSI & Defender AV)

Microsoft recommends enabling:

• AMSI (Antimalware Scan Interface) in SharePoint to inspect and block suspicious in-memory .NET code.
• Microsoft Defender Antivirus with real-time protection, especially with the SharePoint AMSI integration enabled.

📝 Note: AMSI blocks most known exploitation attempts — even before patching.

3. Isolate or Disconnect Affected Servers

• If you cannot patch SE or are running 2016/2019 without updates, consider temporarily removing internet access to vulnerable SharePoint instances, especially if publicly accessible.
• Review all exposed TCP/UDP ports on SharePoint hosts — minimize external access.

4. Hunt for Compromise

Use the following practices:

• Search IIS logs for spinstall0.aspx, requests to /ToolPane.aspx, or ViewState anomalies.
• Check Windows Event Logs and Defender logs for AMSI activity.
• Use EDR or SIEM tools like Defender for Endpoint or Sentinel to scan for known C2 tools.

Detection & Analysis Resources

Microsoft Resources:

• Microsoft Security Blog
• Microsoft Defender XDR threat hunting queries
• Official CVE advisory page (CVE-2025-53770)

Community/Threat Intel:

• Shadowserver reports daily scans for exposed SharePoint instances
• Github repositories of Proof-of-Concepts (PoCs)
• YARA rules for detecting webshell activity

Final Recommendations

1. Patch enterprise SharePoint environments where possible.
2. Enable AMSI and Microsoft Defender AV immediately.
3. Isolate servers and monitor for breach indicators.
4. Stay up to date with Microsoft announcements and advisories.
5. Review your SharePoint server exposure — limit it to internal access where possible.