CVE-2025-53770: Zero-Day Exploit Impacts Microsoft SharePoint Services

Introduction

On July 19, 2025, Microsoft published an advisory for CVE-2025-53770, a critical zero-day vulnerability that allows unauthenticated attackers to execute arbitrary code impacting on-premises SharePoint servers. The vulnerability, dubbed ToolShell, stems from insecure deserialization of untrusted data in SharePoint’s server-side processing, enabling attackers to craft malicious payloads that compromise the server. This vulnerability is a variant of the previously patched CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (code injection). Public proof-of-concept (PoC) for this exploit surfaced shortly after, fueling widespread exploitation. With a CVSS score of 9.8, this vulnerability poses a severe risk to on-premises SharePoint deployments, particularly those exposed to the internet. Over 235,000 SharePoint services are estimated to be vulnerable, and active exploitation has been reported as of July 21, 2025. 

Affected Versions

CVE-2025-53770 impacts the following Microsoft SharePoint Server versions:

• SharePoint Server 2016: All builds with the September 2023 security update or later.
• SharePoint Server 2019: All builds with the September 2023 security update or later.
• SharePoint Server Subscription Edition: Version 23H2 or later.

Note: SharePoint Online, hosted on Microsoft 365, is not affected by this vulnerability. However, organizations using unsupported or unpatched versions released prior to September 2023 may still be at risk, as the exploit specifically targets configurations introduced in later updates.

Vulnerability Details

CVE-2025-53770 builds on prior vulnerabilities like CVE-2021-28474, targeting SharePoint's server-side control parsing logic to execute remote code. The earlier vulnerability exploited SharePoint’s handling of ASP.NET ViewState objects, which are processed using a ValidationKey stored in the web.config file. By leveraging the machineKey, attackers could craft forged ViewState objects and trigger remote code execution (RCE) through the deserialization of untrusted data. However, attacks were limited, as creating valid payload signatures required access to the ValidationKey.

The new ToolShell exploit chain, composed of CVE-2025-49706 and CVE-2025-49704, removes this limitation, enabling unauthenticated attackers to execute the entire RCE chain. A SharePoint flaw allows unauthenticated access to the path /_layouts/15/ToolPane.aspx when the HTTP referer field is set to /_layouts/SignOut.aspx. Through this vulnerability, attackers can trigger deserialization by downloading a crafted .aspx file intended to steal cryptographic secrets, including the ValidationKey. These secrets can be extracted from the server’s memory or from configuration files, granting attackers the ability to forge signed __VIEWSTATE payloads with tools like ysoserial.

For instance, attackers can view the value of __VIEWSTATEGENERATOR in the source code of any public SharePoint page and use the following ysoserial command to create an RCE payload:

>open the source code view for any publicly available SharePoint page and find the value of __VIEWSTATEGENERATOR.
>ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo RCE > c:/windows/temp/SP_RCE.txt" --generator="AF879508" --validationkey="FAA45BC66E06323C48961DA2AEAF077D8786291E2748330F03B6601F08523B79" --validationalg="HMACSHA256" --islegacy --minify

These payloads can include malicious commands and are processed by the server as legitimate input, completing the RCE chain without needing any credentials. Thus, an attacker can achieve remote code execution in the context of a SharePoint web application.

Attack Flow Diagram

The figure below shows the attack flow CVE-2025-53770 follows to achieve RCE on a SharePoint server.

Figure 1: Diagram shows how the CVE-2025-53770 attach chain works.

Analysis of CVE-2025-53770 exploitation

Zscaler ThreatLabz analyzed SharePoint logs related to CVE-2025-53770 activity, captured using Zscaler Deception decoys, to identify suspicious transactions that reveal the exploit mechanics. Key findings include:

Exploit Indicators in SharePoint Logs

• URL path: /ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
• HTTP referer: /SignOut.aspx
• HTTP method: POST
• POST data: Contains {\"MSOTlPn_Uri\": ["http://www.-------.org/_controltemplates/15/AclEditor.ascx"] and a section labeled CompressedDataTable.

The CompressedDataTable is shown in the figure below:

Figure 2: CompressedDataTable included in the POST request. 

Payload analysis

The POST data includes a CompressedDataTable field that, when decompressed using gzip and Base64 decoding, reveals several key stages of the exploit:

• Decompressed data: The payload includes XSD (XML Schema Definition) strings encoded in Base64. Further decoding of these strings produces a PowerShell script, as shown in the figure below.

Figure 3: Decoded PowerShell script.

• PowerShell script functionality: The decoded script is designed to exploit the vulnerability. Specifically, it:
  • Saves malicious content in the file path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx.
  • When decoding the saved content, the purpose of the script becomes clear: stealing cryptographic ValidationKey from the SharePoint server, as shown in the figure below.

Figure 4: Malicious decoded script used for cryptographic theft and targets the ValidationKey.

How Zscaler Protects Against CVE-2025-53770

Zscaler Deception empowers organizations to proactively intercept targeted attacks, including zero-day vulnerabilities like CVE-2025-53770, even before they are publicly disclosed. By deploying perimeter-facing decoys, Zscaler emulates commonly targeted applications such as VPNs, firewalls, and SharePoint. These decoys are designed to only respond when they are specifically targeted via hostnames, avoiding detection during random internet scans. This approach provides early threat signals while enabling security teams to respond swiftly and block attackers before they can infiltrate or compromise an environment.

Zscaler Deception customers benefited from early detection of CVE-2025-53770 being actively exploited, with the first signs appearing on the morning of July 17th, four days ahead of the advisory issued by CISA. Through SharePoint decoys, Zscaler Deception identified malicious activity and uncovered the following IPs attempting to exploit the vulnerability:

• 213.130.140.84
• 154.47.29.4
• 104.238.159.149
• 107.191.58.76
• 139.144.199.41
• 96.9.125.147
• 185.189.25.230

If you are a Zscaler customer, we strongly recommend reaching out to your account manager to deploy SharePoint decoys. These decoys provide robust early-detection capabilities while serving as valuable sources of threat intelligence, critical for investigating and triaging relevant incidents.

Stopping lateral movement with Deception + Zscaler Private Access (ZPA):

Zscaler’s SharePoint decoys can also be deployed within ZPA environments and server VLANs to detect and stop lateral movement. This integrated solution enables Zscaler Deception to identify attackers attempting to pivot from compromised endpoints to internal SharePoint applications. As soon as such activity is detected, ZPA takes immediate action by isolating the compromised user or malicious insider, effectively preventing access to high-value assets or crown jewel applications.

By leveraging the combined power of Zscaler Deception and ZPA, organizations can significantly harden their environments against exploitation attempts and mitigate risks associated with lateral movement.

Recommendations

Zscaler ThreatLabz recommends that organizations take the following actions to mitigate risks:

• Use Zscaler Zero Trust Exchange to reduce your external attack surface: Reduce your external attack surface by moving these servers behind a zero trust platform like the Zscaler Zero Trust Exchange (ZTE). 
• Use Zscaler Private Access to prevent insider threats: Prioritize user-app segmentation on your Zscaler Private Access (ZPA) to combat insider threats.
• Patch immediately: Ensure your organization promptly applies the newly released patch from Microsoft to the specific version of SharePoint in use.
• Monitor and audit: Leverage endpoint detection and response (EDR) tools to actively monitor for suspicious activities, including unauthorized .NET method calls or unexpected file system changes. Review SharePoint logs for unusual patterns, such as failed authentication attempts or deserialization errors. Search for indicators of compromise (IOCs), such as unexpected __VIEWSTATE payloads or repeated access to MachineKey paths.

Recommendations from Microsoft

• Enable Antimalware Scan Interface (AMSI): Ensure AMSI is enabled and active on all SharePoint servers. AMSI is configured by default in SharePoint Server 2016/2019 (post-September 2023 updates) and Subscription Edition Version 23H2. This interface scans incoming payloads for malicious content, helping to block a wide range of exploit attempts. To confirm AMSI is properly configured, review its settings in the SharePoint Central Administration console.
• Rotate machine keys: Regenerate the ValidationKey and DecryptionKey in the MachineKey section of the server’s web.config file. This process invalidates any stolen keys and disrupts potential attacks. Once the keys have been updated, restart Internet Information Services (IIS) to ensure the changes are applied. You can reset IIS using the following command: iisreset.

Conclusion

CVE-2025-53770 is a critical threat to on-premises SharePoint deployments, enabling attackers to gain full control over vulnerable servers with minimal effort. Its zero-day status, active exploitation, and stealthy nature make it a top priority for organizations. While SharePoint Online users are safe, those running affected versions must implement mitigations urgently—enabling AMSI, deploying Defender AV, rotating keys, and isolating servers. The exploit’s reliance on deserialization and stolen keys underscores the need for robust input validation and key management in enterprise software. Organizations should promptly apply Microsoft's patch specific to their SharePoint version to defend against exploitation.

Zscaler Coverage

The Zscaler ThreatLabz team has deployed protection for CVE-2025-53770.

Zscaler Advanced Threat Protection 

• HTML.Exploit.CVE-2025-49704
• HTML.Exploit.CVE-2025-53770
• ASP/Webshell.AY

Zscaler Private Access AppProtection

• 6000294: Microsoft SharePoint Server Remote Code Execution
• 6000295: Microsoft SharePoint Server ASPX Remote Code Execution

Details related to these signatures can be found in the Zscaler Threat Library.