New ‘ToolShell’ Exploit Chain Targets SharePoint Servers via CVE-2025-53770 and CVE-2025-53771

Microsoft pushed out-of-band fixes for on-premise SharePoint Servers after attackers chained CVE-2025-53770 and CVE-2025-53771. The chain bypasses SharePoint chain vulnerabilities, dubbed “ToolShell”, Microsoft thought it had closed in the July 9, 2025 Patch Tuesday rollout.

According to Orca, 13% of cloud environments run vulnerable self hosted SharePoint components, and 6% expose them directly to the internet, making them immediate targets for exploitation.

What is SharePoint?

SharePoint Server is Microsoft’s collaboration and content management platform. It is commonly hosted on Windows Server VMs in corporate data or IaaS. SharePoint lets teams store documents, build internal sites and workflows, and integrate tightly with Active Directory and Microsoft 365 tools.

What are CVE-2025-53770 and CVE-2025-53771?

The two new vulnerabilities involved in this exploit are classified as critical to SharePoint Server security. Here’s a breakdown of each and how they fit into the broader ToolShell exploit chain.

CVE-2025-53770 (CVSS 9.8) is a critical remote code execution vulnerability that stems from insecure deserialization of user-controlled data.

CVE-2025-53771 (CVSS 6.3) is a spoofing vulnerability in SharePoint’s request handling. By forging the Referer header, an attacker can make a request bypass authentication.

Both issues are bypass variants of previously patched vulnerabilities, CVE-2025-49704 (original RCE) and CVE-2025-49706 (original spoofing). Microsoft addressed the aforementioned vulnerabilities in the recent Patch Tuesday rollout, however adversaries soon discovered alternative ways to hit the same underlying logic.

Who is affected?

Only on premises SharePoint Server deployments are at risk, whether you run them on your own hardware or in self managed cloud VMs. SharePoint Online in Microsoft 365 is not impacted.

Impacted builds:

• SharePoint Server Subscription Edition, if KB5002768 is not installed
• SharePoint Server 2019, if KB5002754 is missing (older than build 16.0.10417.20027). 
• SharePoint Server 2016, until you apply the July 2025 security updates (for example KB5002760)
  

Microsoft also flags the out of support SharePoint 2010 and 2013 releases as exposed in Defender Vulnerability Management. 

How ToolShell works

The newly discovered ToolShell bypass follows a multi-step attack path that allows unauthenticated, persistent remote code execution. Here’s how the chain unfolds in real-world attacks.

1. Initial Access (CVE-2025-53771): The attacker posts to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and forges the Referer header to /_layouts/SignOut.aspx. SharePoint treats the request as authenticated.

2. Dropping a WebShell (CVE-2025-53770): With that access, the attacker submits a malicious body to the same endpoint. SharePoint deserializes untrusted data and runs the embedded code, which plants a quiet ASPX web shell.

This web shell grants persistent remote access to the server, but the attack flow expands to allow persistent, fileless, and unauthenticated execution that scales easily, blends into normal traffic, and survives shell removal.

3. Stealing keys: The web shell dumps sensitive machineKey values (ValidationKey and DecryptionKey), which can be used to forge valid and signed .NET ViewState payloads.

4. Remote Code Execution: Using tools like ysoserial, the attacker forges signed __VIEWSTATE payloads. SharePoint trusts the signature, deserializes the payload, and executes it, giving the attacker stateless and unauthenticated code execution.

Discovery and exploitation timeline

The vulnerabilities evolved rapidly in the wild, moving quickly from discovery to exploitation. The timeline below captures the key developments.

• May 2025: At Pwn2Own Berlin, Viettel Cyber Security chained CVE-2025-49704 with CVE-2025-49706 and named the chain ToolShell.
• 8 July 2025: Microsoft shipped fixes for 49704 and 49706.
• 18 July 2025: Eye Security observed real-world compromises using fresh bypasses of the two patched bugs.
• 20 July 2025: Microsoft confirmed attacks, assigned CVE-2025-53770 and CVE-2025-53771 to the bypass variants.

How should you respond? 

Organizations running on-prem SharePoint must act fast to prevent compromise. Follow these response actions to secure your environment.

• Install Microsoft’s July 2025 fixes for CVE-2025-53770 and CVE-2025-53771.
• Generate fresh ASP.NET MachineKey values (ValidationKey and DecryptionKey) for every SharePoint server, then recycle IIS so the change applies.
• Turn on AMSI and verify Defender AV or your EDR is current.
• If AMSI cannot be enabled, pull public exposure for vulnerable servers until you can patch.
• Where application behavior allows, disable __VIEWSTATE or restrict it.
• Sweep SharePoint directories for unexpected .aspx files or scripts.
• Review HTTP logs for odd requests, especially those hitting /ToolPane.aspx.
• Monitor for Indicators of Compromise (IOCs).

Known Indicators of Compromise (IoCs)

These are the known indicators associated with active exploitation of the ToolShell chain. Use them to detect and respond to potential breaches.

• Dropped file: spinstall0.aspx
  • SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
  • Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx
• Spoofed Referer value: /_layouts/SignOut.aspx
• Suspicious POST: /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Follow-up GET: /_layouts/15/spinstall0.aspx
• External IPs contacted: 107.191.58\[.]76, 104.238.159\[.]149, 96.9.125\[.]147, 103.186.30\[.]186

How can Orca help?

The Orca Platform continuously scans for vulnerabilities in your cloud environments, including AWS, Azure, Google, Kubernetes, and others. When Orca finds a vulnerability, it will immediately create an alert and assign a risk score by considering the full contextual picture of the risk and the surrounding cloud environment so teams know which vulnerabilities need to be patched first.

The Orca Platform easily maps all assets running SharePoint Server instances that lack the July 2025 fixes or their required KBs, pinpointing hosts still exposed to CVE-2025-53770 and CVE-2025-53771 so teams can patch those first. Additionally, Orca provides its From the News widget to present breaking and trending CVEs and give you instant analysis of their presence and impact on your environment.