Full Report
Detect and mitigate CVE-2025-53770 and CVE-2025-53771 - critical vulnerabilities in Microsoft SharePoint Server currently under active exploitation.
Analysis Summary
# Vulnerability: Chained Zero-Day Exploit (ToolShell) in Microsoft SharePoint Leading to RCE
## CVE Details
- CVE ID: CVE-2025-53770, CVE-2025-53771
- CVSS Score: 9.8 (Critical) for CVE-2025-53770; 6.3 (Medium) for CVE-2025-53771
- CWE: Unsafe Deserialization (CVE-2025-53770); Authentication Bypass/Header Spoofing (CVE-2025-53771)
## Affected Systems
- Products: Microsoft SharePoint Server (On-premises deployments only)
- Versions:
- SharePoint Server Subscription Edition (earlier than KB5002768)
- SharePoint Server 2019 (earlier than 16.0.10417.20027 / KB5002754)
- SharePoint Server 2016
- SharePoint Server 2013 and 2010 (End-of-Life, but noted as technically affected)
- Configurations: Self-managed SharePoint instances running in cloud environments (e.g., Azure, AWS, GCP) are also vulnerable if running the affected versions. (Microsoft 365 SharePoint Online is **not** impacted.)
## Vulnerability Description
This is a chained exploitation scenario dubbed "ToolShell," involving two bypass vulnerabilities that target previously patched flaws (CVE-2025-49704/CVE-2025-49706).
1. **CVE-2025-53771 (Spoofing/Auth Bypass):** An attacker crafts a request using a forged `Referer` header to bypass authentication and mimic a legitimate SharePoint workflow.
2. **CVE-2025-53770 (RCE):** This vulnerability involves unsafe deserialization of untrusted data, which forms the code execution stage following successful authentication bypass.
The chain results in Unauthenticated Remote Code Execution (RCE) against on-premises SharePoint servers.
## Exploitation
- Status: Exploited in the wild (Actively exploited since July 18, 2025)
- Complexity: Low (due to the successful chaining of the bypass before RCE)
- Attack Vector: Network
## Impact
- Confidentiality: High (RCE allows full system compromise)
- Integrity: High (RCE allows arbitrary code execution and data modification)
- Availability: High (RCE can lead to denial of service or system takeover)
## Remediation
### Patches
Microsoft released emergency patches for the bypassed vulnerabilities:
- SharePoint Server Subscription Edition (Details via KB/update package associated with the advisory).
- SharePoint Server 2019 (Update 16.0.10417.20027 / KB5002754).
### Workarounds
- Engage incident response teams.
- Audit and reduce layout/admin privileges across the environment.
- Monitor for Indicators of Compromise (IOCs).
## Detection
- Indicators of Compromise: Monitoring for exploitation activity related to the "ToolShell" chain, specifically focused on the authentication bypass mechanism (forged `Referer` headers) preceding RCE attempts.
- Detection methods and tools: Utilize security platform threat intelligence centers (like Wiz) to query for vulnerable SharePoint assets and track internet exposure of at-risk servers.
## References
- Vendor Advisories:
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770/
- Relevant links:
- https://research.eye.security/sharepoint-under-siege/
- https://thehackernews.com/2025/07/microsoft-releases-urgent-patch-for.html
- https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/