CVE-2025-53770: “ToolShell” RCE Hits On-Prem SharePoint Servers

Summary

A critical remote code execution vulnerability—CVE‑2025‑53770—has emerged, targeting on-premises Microsoft SharePoint. Discovered as part of an attack chain dubbed “ToolShell,” this issue allows unauthenticated network-based code execution via deserialization of untrusted data Reddit+9NVD+9Microsoft Security Response Center+9.

Attack in the Wild

Security researchers (Eye Security, SANS ISC) report that threat actors have exploited this flaw since July 18–19, 2025, deploying stealthy backdoors to extract MachineKey secrets (e.g. spinstall0.aspx) and maintain persistent access CISA+4Security Affairs+4Help Net Security+4.

Severity

• CVSS v3.1 Score: 9.8 (Critical) CISA+6NVD+6Tenable®+6

• Considered a Known Exploited Vulnerability by CISA, included in the July 20, 2025 KEV catalog SANS Internet Storm Center+7NVD+7CISA+7.

Affected Systems

• SharePoint Server 2016, 2019, and Subscription Edition (on-prem)

• SharePoint Online (Microsoft 365) is not affected Microsoft Security Response Center+1Help Net Security+1.

Mitigations & Immediate Steps

Until official patches are fully deployed, organizations should:

1. Enable AMSI integration and deploy Microsoft Defender AV on SharePoint servers Tenable®+6CISA+6NVD+6.

2. If AMSI is not available, disconnect affected servers from the internet Microsoft Security Response Center+4CISA+4SANS Internet Storm Center+4.

3. Update intrusion prevention/firewall rules to block known exploit patterns.

4. Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.

5. Scan for specific attacker IPs active between July 18–19: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147 Help Net Security+7CISA+7SANS Internet Storm Center+7.

6. Implement comprehensive logging, audit admin privileges, and improve event detection capabilities Reddit+3CISA+3Microsoft Security Response Center+3.

Patching Status & Long-Term Fixes

Microsoft released emergency updates on July 21, 2025, for SharePoint 2019 and Subscription Edition, while support for SharePoint 2016 remains pending Tenable®+5Microsoft Security Response Center+5Help Net Security+5.

Recommended Actions:

• Apply July 2025 Security Updates immediately.

• Rotate ASP.NET MachineKeys and perform an IIS restart once patched Microsoft Security Response Center.

• Deploy Defender for Endpoint to detect anomalous behaviors or indicators of compromise CISA+3Microsoft Security Response Center+3Help Net Security+3.

Final Word

If you manage on-prem SharePoint, treat this as an urgent priority. Ensure mitigation measures are live, apply patches now, and hunt for post-exploit indicators. With threat actors actively leveraging “ToolShell,” you cannot wait. For detailed remediation steps, follow:

• Microsoft’s Customer Guidance SANS Internet Storm Center+4CISA+4Help Net Security+4Security Affairs+8Microsoft Security Response Center+8CISA+8

• CISA’s official alert and KEV notice Help Net Security+5CISA+5CISA+5