Skip to content

CVE-2025-53770 (Microsoft SharePoint)

Description:

Deserialization vulnerability enabling unauthenticated RCE via the /_layouts/15/ToolPane.aspx endpoint.

Technical Details:

  • CVSS Score: 9.8 (Critical)
  • Exploit: Attackers craft malicious ASPX payloads (spinstall0.aspx) to exploit unsafe deserialization, extracting ValidationKey and DecryptionKey from __VIEWSTATE. Spoofed Referer headers (/layouts/SignOut.aspx) bypass authentication. The exploit chains with CVE-2025-49704 (spoofing, CVSS 8.8) and CVE-2025-49706 (RCE bypass), deploying .dll payloads (SHA256: 7a8b9c0d…) for persistence via PowerShell (Invoke-WebRequest). Eye Security reported 85+ servers compromised, targeting government and energy sectors.
  • Impact: Full server compromise, enabling ransomware, data theft, or lateral movement via SMB or RDP.
  • AI Angle: Attackers use AI-driven NLP to parse server responses for key extraction and automate payload generation, targeting vulnerable SharePoint instances within hours.

FireCompass Mitigation:

FireCompass’s CART platform simulates multi-stage deserialization attacks, identifying vulnerable SharePoint endpoints. Its AI-driven attack engine tests for CVE-2025-53770, prioritizing high-risk vulnerabilities. FireCompass’s ASM discovers all SharePoint instances, including shadow IT, ensuring 100% coverage. Its PTaaS reduces remediation time by automating penetration testing, saving up to 80% of costs.

>> Test Your APIs with FireCompass – Identify Vulnerabilities Before Attackers Do

Action:

Use FireCompass to conduct continuous red teaming for SharePoint vulnerabilities, integrate with WAF to block malicious payloads, and monitor for __VIEWSTATE tampering (grep “spinstall0” sharepoint.log).

Additional Mitigation:

  • Apply Microsoft’s July 2025 patch and enable AMSI on SharePoint servers.
  • Rotate ASP.NET machine keys twice and restart IIS (iisreset).
  • Block IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147.
  • Deploy AI-driven WAF (e.g., F5 Advanced WAF) to detect deserialization patterns.

IoCs:

  • Malicious payload: spinstall0.aspx
  • Suspicious IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147
  • PowerShell payload SHA256: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial

Related Posts:

Author Image

Priyanka Aash

Priyanka Aash is credited with building global communities for cybersecurity leaders and shaping enterprise marketing strategies for over a decade. She has been nominated for the Cybersecurity Excellence Award for her leadership & AI innovations in cybersecurity and honored with the NetApp Excellerate HER award. She is also the author of “The AI Divide,” which explores how artificial intelligence is quietly rewiring human minds and influencing decisions. Earlier, she co-founded CISO Platform, the world’s first online platform for collaboration and knowledge sharing among senior information security executives. Through this, she worked with the marketing teams of IBM, VMware, F5 Networks, Barracuda Networks, Check Point, and others, driving inbound marketing and enterprise growth. Priyanka is passionate about entrepreneurship, enterprise marketing strategy, and building communities that empower CISOs worldwide.

Tags:
Use Cases
Technology
About
Partner
Resources

FireCompass – An EC Council Ecosystem Company.
©2025 . All Rights Reserved.