Skip to content
Home icon Home Arrow Blogs Arrow CVE-2025-53770 (Microsoft SharePoint)
AI in Cybersecurity 29 Jul 2025

CVE-2025-53770 (Microsoft SharePoint)

Priyanka AashPriyanka Aash Co-Founder, FireCompass
Summarize and analyze this article with:
ChatGPT Perplexity Grok Gemini Claude

Description:

Deserialization vulnerability enabling unauthenticated RCE via the /_layouts/15/ToolPane.aspx endpoint.

Technical Details:

  • CVSS Score: 9.8 (Critical)
  • Exploit: Attackers craft malicious ASPX payloads (spinstall0.aspx) to exploit unsafe deserialization, extracting ValidationKey and DecryptionKey from __VIEWSTATE. Spoofed Referer headers (/layouts/SignOut.aspx) bypass authentication. The exploit chains with CVE-2025-49704 (spoofing, CVSS 8.8) and CVE-2025-49706 (RCE bypass), deploying .dll payloads (SHA256: 7a8b9c0d…) for persistence via PowerShell (Invoke-WebRequest). Eye Security reported 85+ servers compromised, targeting government and energy sectors.
  • Impact: Full server compromise, enabling ransomware, data theft, or lateral movement via SMB or RDP.
  • AI Angle: Attackers use AI-driven NLP to parse server responses for key extraction and automate payload generation, targeting vulnerable SharePoint instances within hours.

FireCompass Mitigation:

FireCompass’s CART platform simulates multi-stage deserialization attacks, identifying vulnerable SharePoint endpoints. Its AI-driven attack engine tests for CVE-2025-53770, prioritizing high-risk vulnerabilities. FireCompass’s ASM discovers all SharePoint instances, including shadow IT, ensuring 100% coverage. Its PTaaS reduces remediation time by automating penetration testing, saving up to 80% of costs.

>> Test Your APIs with FireCompass – Identify Vulnerabilities Before Attackers Do

Action:

Use FireCompass to conduct continuous red teaming for SharePoint vulnerabilities, integrate with WAF to block malicious payloads, and monitor for __VIEWSTATE tampering (grep “spinstall0” sharepoint.log).

Additional Mitigation:

  • Apply Microsoft’s July 2025 patch and enable AMSI on SharePoint servers.
  • Rotate ASP.NET machine keys twice and restart IIS (iisreset).
  • Block IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147.
  • Deploy AI-driven WAF (e.g., F5 Advanced WAF) to detect deserialization patterns.

IoCs:

  • Malicious payload: spinstall0.aspx
  • Suspicious IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147
  • PowerShell payload SHA256: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial

Table of Content

Hackers Wont Wait For Your Next Quarterly Pen Test..

Continuous Pen Test

Similar Blogs

Use Cases
Technology
About
Partner
Resources

FireCompass – An EC Council Ecosystem Company.
©2025 . All Rights Reserved.