CVE-2025-53770: “ToolShell” RCE Hits On-Prem SharePoint Servers

Summary

A critical remote code execution vulnerability—CVE‑2025‑53770—has emerged, targeting on-premises Microsoft SharePoint. Discovered as part of an attack chain dubbed “ToolShell,” this issue allows unauthenticated network-based code execution via deserialization of untrusted data Reddit+9NVD+9Microsoft Security Response Center+9.

Attack in the Wild

Security researchers (Eye Security, SANS ISC) report that threat actors have exploited this flaw since July 18–19, 2025, deploying stealthy backdoors to extract MachineKey secrets (e.g. spinstall0.aspx) and maintain persistent access CISA+4Security Affairs+4Help Net Security+4.

Severity

Affected Systems

Mitigations & Immediate Steps

Until official patches are fully deployed, organizations should:

  1. Enable AMSI integration and deploy Microsoft Defender AV on SharePoint servers Tenable®+6CISA+6NVD+6.

  2. If AMSI is not available, disconnect affected servers from the internet Microsoft Security Response Center+4CISA+4SANS Internet Storm Center+4.

  3. Update intrusion prevention/firewall rules to block known exploit patterns.

  4. Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.

  5. Scan for specific attacker IPs active between July 18–19: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147 Help Net Security+7CISA+7SANS Internet Storm Center+7.

  6. Implement comprehensive logging, audit admin privileges, and improve event detection capabilities Reddit+3CISA+3Microsoft Security Response Center+3.

Patching Status & Long-Term Fixes

Microsoft released emergency updates on July 21, 2025, for SharePoint 2019 and Subscription Edition, while support for SharePoint 2016 remains pending Tenable®+5Microsoft Security Response Center+5Help Net Security+5.

Recommended Actions:

Final Word

If you manage on-prem SharePoint, treat this as an urgent priority. Ensure mitigation measures are live, apply patches now, and hunt for post-exploit indicators. With threat actors actively leveraging “ToolShell,” you cannot wait. For detailed remediation steps, follow:

 

 

author avatar
Matt Johnson CEO