Skip to main content

Threat Intelligence Report: Microsoft SharePoint ToolShell Zero-Day Exploitation (CVE-2025-53770)

·4 mins

Microsoft SharePoint Logo

CISO Executive Summary #

Overview #

The ToolShell zero-day vulnerability collection, specifically CVE-2025-53770, represents one of the most critical SharePoint vulnerabilities discovered in 2025. This deserialization flaw allowed unauthenticated remote code execution on on-premises SharePoint servers, leading to widespread exploitation by Chinese nation-state actors and cybercriminal groups. The vulnerability was actively exploited from July 7, 2025, before patches were available, resulting in the compromise of over 300 organizations worldwide.

Impact #

The impact of CVE-2025-53770 is severe due to its:

  • Unauthenticated Remote Code Execution: Attackers can gain full system control without credentials
  • Widespread Exploitation: Over 4,600 compromise attempts across government, telecommunications, and enterprise sectors
  • Nation-State Involvement: Chinese APT groups Linen Typhoon and Violet Typhoon actively exploiting the flaw
  • Persistent Access: Stolen cryptographic keys enable long-term compromise even after patching

Mitigation #

Critical actions for organizations using on-premises SharePoint:

  1. Emergency Patching: Apply Microsoft’s July 19, 2025 emergency security updates immediately
  2. Threat Hunting: Scan for indicators of compromise, particularly ASPX payloads and stolen MachineKeys
  3. Access Review: Audit SharePoint access logs for suspicious activity from July 7 onwards
  4. Key Rotation: Regenerate SharePoint MachineKey configurations if compromise is suspected

Engineering Breakdown #

CVE Details #

  • CVE ID: CVE-2025-53770
  • Severity: Critical
  • CVSS Score: 9.8 (Critical)
  • Vector: Network
  • Access Complexity: Low
  • Authentication: None Required

Description #

CVE-2025-53770 is a deserialization vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution. The flaw is part of the “ToolShell” vulnerability collection (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) and represents a bypass of the incomplete patch for CVE-2025-49706, leaving a new deserialization pathway that adversaries exploit for RCE.

Technical Analysis #

Palo Alto Unit 42 Analysis #

According to Palo Alto Unit 42, the vulnerability enables attackers to send crafted POST requests to the “/_layouts/15/ToolPane.aspx” endpoint, using a spoofed Referer header set to “_layouts/SignOut.aspx” to achieve authentication bypass. The exploitation allows delivery of ASPX payloads via PowerShell to steal SharePoint server MachineKey configurations.

Check Point Research Analysis #

Check Point Research identified the first exploitation attempts on July 7, 2025, with attackers focusing on extracting ValidationKey and DecryptionKey values to maintain persistent access. The stolen keys are subsequently leveraged to craft and sign malicious __VIEWSTATE payloads.

Microsoft Security Analysis #

Microsoft’s security team confirmed that Chinese nation-state actors Linen Typhoon and Violet Typhoon were actively exploiting these vulnerabilities, along with ransomware deployment by Storm-2603 cluster.

Exploitation Details #

Attack Chain #

The exploitation follows this sequence:

  1. Initial Access: Crafted POST request to vulnerable ToolPane.aspx endpoint
  2. Authentication Bypass: Spoofed Referer header bypasses authentication checks
  3. Code Execution: Deserialization vulnerability triggers arbitrary code execution
  4. Key Extraction: PowerShell payload extracts SharePoint MachineKey configuration
  5. Persistence: Stolen keys enable forging of valid authentication tokens

Threat Actor Attribution #

Primary Actors:

  • Linen Typhoon (Chinese nation-state)
  • Violet Typhoon (Chinese nation-state)
  • Storm-2603 (Chinese-linked ransomware group)
  • CL-CRI-1040 (Threat activity cluster)

Affected Systems #

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Enterprise Server 2019
  • Microsoft SharePoint Server Subscription Edition
  • Note: SharePoint Online (Microsoft 365) is NOT affected

Indicators of Compromise #

Network Indicators #

  • POST requests to /_layouts/15/ToolPane.aspx
  • Referer header containing _layouts/SignOut.aspx
  • PowerShell execution from SharePoint application pools
  • Unusual outbound connections from SharePoint servers

File System Indicators #

  • Presence of unauthorized ASPX files in SharePoint layouts directory
  • Modified web.config files with suspicious entries
  • PowerShell scripts targeting MachineKey extraction
  • Unusual log entries in SharePoint ULS logs

Impact Assessment #

Compromise Scope #

  • 300+ Organizations: Targeted across multiple sectors globally
  • 4,600+ Attempts: Compromise attempts documented by security researchers
  • Key Sectors: Government, telecommunications, software, energy, healthcare, education

Geographic Distribution #

  • North America: Federal and state agencies, energy companies, universities
  • Western Europe: Government entities, telecommunications providers
  • Asia: Telecommunications companies and enterprises

Recommendations for Organizations #

Immediate Actions #

  1. Apply Emergency Patches: Install Microsoft’s July 19, 2025 security updates
  2. Enable AMSI: Configure Antimalware Scan Interface in SharePoint
  3. Audit Access Logs: Review SharePoint logs from July 7, 2025 onwards
  4. Network Monitoring: Monitor for suspicious POST requests to ToolPane.aspx

Long-term Security Measures #

  1. Network Segmentation: Isolate SharePoint servers from untrusted networks
  2. Zero Trust Architecture: Implement additional authentication layers
  3. Regular Patching: Establish rapid patch deployment procedures
  4. Incident Response: Update response plans for zero-day scenarios

Detection Rules #

Organizations should implement detection for:

  • HTTP POST requests to /_layouts/15/ToolPane.aspx
  • PowerShell execution within SharePoint context
  • Unusual authentication token usage patterns
  • Suspicious modifications to SharePoint configuration files

Conclusion #

The ToolShell zero-day exploitation represents a sophisticated supply chain attack targeting critical business infrastructure. The involvement of multiple Chinese nation-state actors and the vulnerability’s impact on government and critical infrastructure organizations underscore the importance of rapid response capabilities and comprehensive threat hunting programs.

Organizations must prioritize emergency patching while implementing comprehensive detection and response measures to identify potential compromise. The persistence mechanisms enabled by stolen cryptographic keys require thorough investigation and key rotation procedures.

Stay Vigilant