Microsoft SharePoint Server Zero-Day (CVE-2025-53770): Urgent Patching Required

Overview

On July 19, 2025, Microsoft disclosed a critical zero-day vulnerability in SharePoint Server (CVE-2025-53770, CVSS 9.8), actively exploited in large-scale attacks, breaching over 75 organizations. The flaw, a variant of CVE-2025-49704, allows unauthenticated remote code execution (RCE) via deserialization of untrusted data. CISA added it to its Known Exploited Vulnerabilities catalog, urging immediate action.

Explanation

The vulnerability stems from improper deserialization in on-premises SharePoint Server, allowing attackers to execute arbitrary code over the network without authentication. Attackers chain CVE-2025-49706 (a spoofing flaw) with CVE-2025-53770 (or CVE-2025-49704) in the “ToolShell” exploit chain, using the HTTP Referer header (/_layouts/SignOut.aspx) to bypass authentication and execute commands. Attackers forge trusted payloads using stolen machine keys, enabling persistence and lateral movement.

Impact

• System Compromise: Full control of SharePoint servers.

• Data Breach: Exposure of sensitive data.

• Network Access: Lateral movement to other systems.

• Operational Disruption: Downtime and recovery costs.

Details

• MITRE ATT&CK Mapping:

  • Tactic: Initial Access (TA0001): T1190 (Exploit Public-Facing Application) – Exploited SharePoint vulnerability.

  • Tactic: Execution (TA0002): T1059 (Command and Scripting Interpreter) – Executed arbitrary code.

  • Tactic: Persistence (TA0003): T1505 (Server Software Component) – Forged trusted payloads.

  • Tactic: Lateral Movement (TA0008): T1021 (Remote Services) – Moved within networks.

• IOCs:

  • Domains: None publicly disclosed.

  • IP Addresses: None publicly disclosed.

  • File Hashes: None specific.

  • HTTP Referer: /_layouts/SignOut.aspx.

• Log Artifacts:

  Jul 19 2025 10:22:15 [SharePoint] Suspicious POST to /_layouts/15/ToolPane.aspx from 203.0.113.99
  Jul 19 2025 10:22:16 [SharePoint] Unauthorized code execution detected

• Remediation:

  • Vendor Patch Guidance: Apply Microsoft’s July 19, 2025, patch for CVE-2025-53770 and CVE-2025-53771.

  • Temporary Mitigations: Restrict SharePoint server access to trusted IPs; deploy WAF rules to filter malicious Referer headers.

  • Known Workarounds: Disable deserialization of untrusted data; enhance endpoint detection.

• Threat Hunting Recommendations:

  • Log Correlation: Monitor SharePoint logs for POST requests to /_layouts/15/ToolPane.aspx with suspicious Referer headers.

  • YARA Rule:

    rule SharePoint_ToolShell_Exploit {
      meta:
        description = "Detects ToolShell exploit chain for CVE-2025-53770"
        author = "FireCompass Threat Research"
      strings:
        $s1 = "/_layouts/SignOut.aspx" ascii
        $s2 = "/_layouts/15/ToolPane.aspx" ascii
      condition:
        all of them
    }

  • Anomalous Traffic: Monitor for unusual code execution or network activity from SharePoint servers.

Takeaway for CISOs

Unpatched zero-days in critical software like SharePoint are high-value targets. CISOs must prioritize rapid patching and deep endpoint visibility.

How FireCompass Can Help: FireCompass Agentic AI Platform simulates zero-day exploits to identify vulnerable SharePoint instances.

Start your free trial today: www.firecompass.com/trial.