Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
CVE-2025-53770: A Critical SharePoint RCE Threat Exploited in the Wild
Posted on: 23 July 2025 | Author: Foresiet
Introduction
A newly disclosed vulnerability, CVE-2025-53770, has sent shockwaves through the enterprise IT and cybersecurity community. Affecting on-premises Microsoft SharePoint Server, this critical flaw enables unauthenticated remote code execution (RCE) through insecure deserialization of untrusted data. With a CVSS v3.1 score of 9.8, it represents one of the most severe threats to SharePoint deployments in recent years. Even more alarming, Microsoft has confirmed that public exploits are available and actively being used by threat actors.
The Vulnerability at a Glance
- CVE ID: CVE-2025-53770
- Severity: Critical (CVSS 9.8)
- Type: Insecure Deserialization / Remote Code Execution
- Attack Vector: Network (No authentication required)
- Status: Public exploits available, active exploitation confirmed
- Affected Systems: Microsoft SharePoint Server (On-premises)
- SharePoint Online: Not affected
This vulnerability allows adversaries to craft malicious payloads that exploit the deserialization mechanism in SharePoint, leading to direct code execution on the server. Once inside, they can deploy webshells, steal sensitive documents, and pivot laterally through internal systems.
Current Exploitation Trends
Microsoft has verified in its official advisory that CVE-2025-53770 is being actively exploited in the wild. Threat actors are reportedly leveraging webshells—such as the recently seen spinstall0.aspx—to maintain persistent access after initial compromise.
Security telemetry from threat intelligence platforms indicates a growing number of attacks targeting internet-exposed SharePoint servers. These attacks often bypass traditional perimeter defenses and leverage Referer-forged requests and ToolShell payloads to exploit vulnerable servers.
Threat Actor Involvement
While formal attribution is ongoing, historical patterns and TTPs suggest a strong possibility of involvement from known nation-state and financially motivated actors:
- Silk Typhoon (HAFNIUM): Notorious for abusing previous SharePoint and Exchange vulnerabilities.
- Storm-0506: Targeted enterprise collaboration tools in past espionage campaigns.
- Ransomware-as-a-Service (RaaS) groups: SharePoint compromises are a goldmine for initial access brokers.
Attack Chain & Methodology
- Initial Access: External SharePoint servers are scanned and identified.
- Exploitation: Malicious serialized objects are submitted, exploiting the deserialization bug.
- Execution: Arbitrary code runs under the SharePoint/IIS process.
- Post-Exploitation:
- Webshell deployment (e.g., aspx)
- Credential harvesting
- Internal reconnaissance and lateral movement
- Data exfiltration and potential ransomware deployment
Detection & Threat Hunting Strategies
Detection for CVE-2025-53770 is focused on process creation anomalies within IIS (w3wp.exe) and suspicious file write operations. Use the following strategies:
KQL Queries (Microsoft Defender/Defender for Endpoint):
KQL Query 1: Suspicious Child Processes Spawned by IIS (w3wp.exe)
KQL Query 2: Webshell Write Activity by IIS
Indicators of Compromise (IOCs):
- Webshell names: spinstall0.aspx, aspxrev.aspx
- Unusual requests to /_layouts/15/ToolPane.aspx
- Unexpected outbound network traffic from SharePoint hosts
Mitigation Guidance
Short-Term Measures:
- Enable AMSI (Antimalware Scan Interface) integration in SharePoint (default ON since Sept 2023).
- Deploy Microsoft Defender Antivirus and enable cloud protection.
- Monitor and isolate exposed servers.
Patch Status:
- Microsoft has released updates for:
- SharePoint Server Subscription Edition (KB5002768)
- SharePoint Server 2019 (KB5002741)
- SharePoint 2016 patch is pending—use mitigations in the meantime.
Post-Mitigation Actions:
- Rotate ASP.NET machine keys to invalidate stolen credentials.
- Restart IIS to enforce changes.
- Review IIS logs for unusual Referer headers and POST requests.
Conclusion
CVE-2025-53770 poses a serious and immediate threat to enterprise environments running SharePoint on-premises. With confirmed exploitation and multiple attack vectors, organizations must respond rapidly—patch systems, hunt for IOCs, and harden their perimeter defenses.
Security teams should prioritize monitoring IIS child processes, leverage KQL-based telemetry, and stay updated with advisories from Microsoft, CISA, and trusted intelligence vendors.
References
- Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- NIST NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-53770
- MITRE CVE Database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53770
- https://www.reddit.com/r/cybersecurity/comments/1m4i3oi/microsoft_sharepoint_server_rce_vulnerability
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.