A fresh zero-day in Microsoft SharePoint, CVE-2025-53770, has erupted across on-prem environments. It’s impact: unauthenticated remote code execution (RCE) and full compromise of vulnerable servers. This isn’t theoretical or limited; active exploitation is currently targeting both enterprise and government systems.
How the Exploit Chain Works
ToolShell, as the exploit has been branded by researchers, abuses the way SharePoint deserializes data, specifically in the handling of the _VIEWSTATE parameter and file upload mechanisms. Attackers don’t need creds. They deliver malicious payloads by POSTing to targeted endpoints, such as /_layouts/15/ToolPane.aspx, resulting in arbitrary code execution. In the observed incidents, this leads to the dropping of a minimalist backdoor, typically an ASPX file named spinstall0.aspx. This file isn’t designed for persistence or visibility. Its sole job is to extract sensitive cryptographic secrets from the affected SharePoint box, including the crucial ValidationKey and DecryptionKey values that sign and encrypt VIEWSTATE payloads.
With these in hand, attackers can generate valid tokens for any subsequent malicious requests, essentially turning every authenticated SharePoint function into an RCE delivery vector.
Patching Status:
Patches are now available for Microsoft SharePoint Server Subscription Edition and Server 2019, but they’re still pending for Server 2016. Microsoft advises customers to watch for a future fix and, in the meantime, use every available mitigation:
- Enable and validate Antimalware Scan Interface (AMSI).
- Deploy Defender AV and Defender for Endpoint on all hosts.
- Isolate vulnerable servers from the internet if AMSI is not available.
It’s crucial to note that if attackers have already stolen your cryptographic keys, they remain valid even after the patch is applied. Key rotation and a strong post-compromise response are necessary to limit the fallout.
Detection Clues and Threat Landscape
Look for new ASPX pages like spinstall0.aspx that shouldn’t be there, especially if they appear under /_layouts/15/ or similar web-accessible directories. Monitor for suspicious child processes spawned by IIS. While attack attribution is still early, notable activity against government and multinational organizations from both state-linked and profit-driven actors has already been recorded.
Who’s at Risk
On-premises SharePoint Server 2016, 2019, and Subscription Edition are impacted. SharePoint Online, included with Microsoft 365, remains unaffected. Mass exploitation has reached dozens of verified cases globally within days of disclosure. If your SharePoint faces the internet, you must assume a compromise until proven otherwise.
The pace and scale of exploitation here suggest adversaries are ready to turn every shadow of SharePoint vulnerability into a production-grade compromise. So far, patch lag and missing cryptographic hygiene continue to expose real and avoidable organizational risk. Ignore at your own peril.
