THREAT SUMMARY

Microsoft disclosed two new zero-day vulnerabilities—CVE-2025-53770 and CVE-2025-53771, collectively called “ToolShell.” These flaws are advanced variants of earlier patched vulnerabilities affecting on-premises SharePoint Server. Attackers are actively exploiting these zero-days to execute remote code without authentication and maintain persistent, stealthy access across multiple sectors worldwide . These are new variants of earlier July flaws (CVE-2025-49704 and CVE-2025-49706) that were originally patched, but attackers found workarounds to bypass those fixes.

THREAT DESCRIPTION

• CVE-2025-53770 (CVSS 9.8) is a critical unauthenticated deserialization vulnerability in Microsoft SharePoint Server that enables remote code execution (RCE) over the network.
• CVE-2025-53771 (CVSS 6.3) facilitates spoofing and path-traversal attacks through crafted Referrer headers targeting the same vulnerable endpoint.
• Both vulnerabilities bypass earlier July 2025 patches (CVE-2025-49704 and CVE-2025-49706) through newly discovered workarounds.
• Exploitation often leads to web shell deployment, theft and reuse of ASP.NET machine keys, and forging of trusted ViewState tokens, allowing persistent attacker control.
• Multiple threat actors—including espionage groups and opportunistic attackers—are leveraging these vulnerabilities for lateral movement and continued access.

IMPACT OVERVIEW

At least 75–85 servers have been compromised, spanning government, education, energy, healthcare, and enterprise sectors

SharePoint Online (Microsoft 365) is not affected.

Attackers may retain access even after patching unless cryptographic keys are rotated.

MITIGATION

1. Apply Emergency Patches (July 21, 2025):
   • Subscription Edition: KB5002768
   • SharePoint 2019: KB5002754
   • SharePoint 2016: KB5002760
2. Rotate ASP.NET machineKey on all SharePoint servers and restart IIS to invalidate stolen keys.
3. Enable AMSI and deploy Microsoft Defender Antivirus on all SharePoint servers; if AMSI is unavailable, immediately disconnect internet-facing SharePoint servers.
4. Hunt for web shells and indicators of compromise via incident response teams.
5. Update network defenses:
   • Block POST requests to /ToolPane.aspx?DisplayMode=Edit endpoint.
   • Tune or deploy IPS/WAF signatures.
   • Enforce comprehensive logging on all SharePoint servers.
6. Report incidents to your national CSIRT (e.g., SL-CSIRT) and perform thorough compromise scans assuming possible breaches.
7. Executive oversight and cross-team coordination across IT, security, and risk management to ensure rapid and comprehensive response.

This is not a theoretical risk, it’s a real-time, large-scale attack targeting widely used collaboration platforms. As Experts are warning that patches alone aren’t enough. Without key rotation and detection controls, attackers can re-enter compromised environments post-patch. The exploitation chain delivers unauthenticated, persistent RCE, making lateral movement and data exfiltration trivial once exploited. This alert demands executive oversight and immediate response across IT, security, and risk teams.