SOC Advisory – Active Exploitation of SharePoint Vulnerabilities (CVE-2025-53770, CVE-2025-53771) – 21 July 2025

Overview

CVE: CVE-2025-53770, CVE-2025-53771
Severity: Critical, Medium
Score: CVSS 9.8 (53770), CVSS 6.3 (53771)
Date: 21 July 2025

Microsoft has released urgent guidance regarding exploitation of SharePoint Server vulnerability CVE-2025-53770, which enables unauthenticated remote access and execution. This vulnerability is confirmed to be exploited in the wild. A related vulnerability, CVE-2025-53771, is addressed in the July 2025 update for SharePoint Subscription Edition. SharePoint Online is not impacted.

Affected Versions

• SharePoint Server 2016
• SharePoint Server 2019
• SharePoint Subscription Edition

Vulnerability Breakdown

CVE-2025-53770

• Description: Exploitation enables unauthenticated attackers to execute post-compromise actions.
• Impact: In-the-wild exploitation confirmed; creates files such as spinstall0.aspx, launches encoded PowerShell via w3wp.exe.
• Risk: Elevated risk to on-prem environments.

CVE-2025-53771

• Description: Related issue addressed in July 2025 update for Subscription Edition.
• Impact: Undisclosed; considered part of cumulative patch guidance.

Mitigation

• Apply July 2025 Security Updates (available now for Subscription Edition).
• For 2016/2019 (pending patches):
  • Enable AMSI in Full Mode.
  • Deploy Defender for Endpoint or equivalent.
  • Rotate ASP.NET machine keys and restart IIS.
  • Disconnect affected servers from the internet if AMSI is unavailable.

Secure-ISS Client Protections

Secure-ISS is closely tracking active exploitation of CVE-2025-53770, publicly referred to as “ToolShell.” This exploit chain grants unauthenticated remote access to vulnerable SharePoint servers and allows adversaries to extract internal content and execute arbitrary commands over the network.

Pre-Emptive Blocking for Clients

Clients ingesting Secure-ISS’ Dynamic Blocklist are protected against known malicious IPs scanning for this vulnerability:

• 107.191.58[.]76
• 104.238.159[.]149
• 96.9.125[.]147

For those not yet onboarded, we recommend blocking these IPs at your network perimeter.

Actions for System Administrators

• Review and apply Microsoft’s July 8, 2025, SharePoint updates relevant to your environment:Microsoft Security Blog – CVE-2025-53770
• Strengthen WAF and intrusion detection rules to block:
  • Suspicious POST traffic, especially to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Known exploit signatures and shell patterns
• Continue to monitor for indicators of compromise, including spinstall0.aspx and unusual PowerShell execution.

Summary for IT Teams

• Products: SharePoint Server 2016, 2019, Subscription Edition
• Threat Level: High
• Action:
  • Patch immediately where updates exist.
  • Harden systems with AMSI and endpoint protection.
  • Monitor for exploitation indicators (e.g., spinstall0.aspx, suspicious PowerShell via w3wp.exe).

References

• Microsoft Advisory
• CVE

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.