Summary
CVE-2025-53770 is a serious flaw in on-premises Microsoft SharePoint that lets attackers skip login and gain full remote access. They use crafted requests to a specific endpoint to install backdoors and steal machine keys, which can be used to impersonate users even after patching. Attacks started in July 2025 and are spreading fast. Affected systems must be isolated, machine keys rotated, IIS restarted, and Microsoft’s guidance followed right away to avoid deeper compromise.
Urgent Actions Required
- Patch SharePoint Servers as soon as Microsoft releases updates for your specific version.
- Rotate ASP.NET Machine Keys immediately on all SharePoint servers, regardless of confirmed compromise.
- Restart IIS (iisreset.exe) after rotating keys to invalidate any stolen authentication tokens.
- Isolate or shut down affected SharePoint servers—firewall rules alone are not sufficient.
- Scan for malicious ASPX files, especially spinstall0.aspx, in SharePoint layout directories (/15/ or /16/).
- Check logs for signs of attack, like suspicious IPs, User-Agent strings, or ToolPane.aspx access.
- Bring in an incident response team to look for hidden backdoors, stolen keys, or signs of deeper system compromise.
Which Systems Are Vulnerable to CVE-2025-53770?
Technical Overview
- Vulnerability Type: Remote Code Execution (RCE) via Deserialization and Cryptographic Key Leakage in SharePoint __VIEWSTATE Handling
- Affected Software/Versions:
Microsoft SharePoint Server on-premises - Attack Vector: Network (HTTP/HTTPS)
- CVSS Score: 9.8
- Exploitability Score:
- Attack Vector: Network
- Attack Complexity: Low (no authentication required)
- Privileges Required: None
- User Interaction: None
- Patch Availability: Patches available for limited SharePoint Server versions; full mitigation requires key rotation and incident response
How Does the CVE-2025-53770 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-53770?
Vulnerability Root Cause:
This vulnerability comes from how SharePoint handles signed data during page processing. If attackers get access to secret keys (like the ValidationKey), they can create fake but valid payloads that SharePoint accepts and runs. This lets them run any code on the server without logging in or triggering security checks.
How Can You Mitigate CVE-2025-53770?
If immediate patching is delayed or not possible:
- Isolate or shut down affected SharePoint servers to prevent further exploitation.
- Rotate ASP.NET machine keys to invalidate stolen cryptographic material.
- Restart IIS on all SharePoint servers after key rotation to apply changes.
- Engage incident response teams or trusted cybersecurity experts to investigate and remediate persistence or backdoors.
- Monitor logs for indicators of compromise such as requests to known malicious ASPX endpoints (e.g., /layouts/15/spinstall0.aspx).
- Block known malicious IP addresses associated with exploit waves.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- On-premises SharePoint Servers – Especially versions currently unpatched or partially patched
- Windows Servers hosting SharePoint – Where malicious ASPX files may be deployed
- SharePoint Web Applications – Including pages handling deserialization and control rendering
Business-Critical Systems at Risk:
- SharePoint Content Repositories – Exposing sensitive documents and data
- Windows Domain Environments – Vulnerable to lateral movement after compromise
- Connected Microsoft Services – Such as Outlook, Teams, and OneDrive integrations
- SharePoint Server Configuration and Cryptographic Keys – Theft leads to persistent access
Exposure Level:
- Internet-facing SharePoint servers – Accessible by external attackers and targeted in mass exploitation campaigns
- Internal SharePoint servers – Risk of insider threat or lateral attack within corporate networks
- Clustered or load-balanced SharePoint environments – Risk of systemic compromise if keys are shared
Will Patching CVE-2025-53770 Cause Downtime?
Patch application impact: Patches are available for a limited set of SharePoint Server versions. Applying them may require testing and scheduling downtime. However, patching alone is insufficient—compromised cryptographic material can still allow post-patch exploitation.
Mitigation (if immediate patching is not possible): Partial mitigation requires rotating ASP.NET machine keys on all SharePoint servers and restarting IIS. This prevents attackers from using previously stolen keys. Network isolation of affected servers is also recommended. Firewall blocking alone is not sufficient, as persistence may already exist.
How Can You Detect CVE-2025-53770 Exploitation?
Exploitation Signatures:
Monitor for HTTP requests aimed at SharePoint administration paths such as /_layouts/15/ToolPane.aspx or /_layouts/16/ToolPane.aspx with query parameters like DisplayMode=Edit and a=/ToolPane.aspx. These requests often include a Referer header pointing to /_layouts/SignOut.aspx. Additionally, look for access attempts to /_layouts/15/spinstall0.aspx, which is linked to the malicious payload used for cryptographic key theft.
MITRE ATT&CK Mapping:
Indicators of Compromise (IOCs/IOAs):
- Requests targeting:
- /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
- /_layouts/16/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
- HTTP Referer headers exactly matching / _layouts/SignOut.aspx or its full URL variants
- GET requests to /_layouts/15/spinstall0.aspx indicating presence of the malicious ASPX component
- The malicious ASPX payload’s SHA256 hash:
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 - User agent strings in logs consistent with:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 (including encoded forms) - Source IPs involved in multiple attack waves, including but not limited to: 107.191.58.76, 104.238.159.149, 96.9.125.147, and others as new waves emerge
Behavioral Indicators:
- Unexpected execution or presence of unauthorized ASPX files in SharePoint’s layouts directory (e.g., spinstall0.aspx)
- Execution of PowerShell commands via malicious __VIEWSTATE payloads that perform directory enumeration or exfiltration
- Increased frequency of requests with suspicious user-agent strings targeting SharePoint admin endpoints
- Outbound network calls from SharePoint servers to attacker-controlled infrastructure, potentially leaking sensitive data
- Unauthorized generation of authentication tokens or bypassing login controls to access protected SharePoint pages
Alerting Strategy:
- Severity: Critical
- Raise alerts on:
- Requests made to SharePoint ToolPane endpoints with suspicious query parameters and Referer headers
- Access attempts to the known malicious ASPX implant spinstall0.aspx
- Requests exhibiting the identified unusual user-agent string
- Network activity from IP addresses linked to confirmed exploitation campaigns
- File integrity checks detecting the known malicious ASPX payload hash
- Detection of PowerShell commands indicative of reconnaissance or data exfiltration originating from SharePoint processes
Remediation & Response
Patch/Upgrade Instructions:
Mitigation Steps if No Patch:
- Immediately isolate or shut down affected SharePoint servers to contain potential compromise. Firewall blocking alone is insufficient due to persistence risks.
- Rotate all ASP.NET machine keys for SharePoint web applications using PowerShell commands (Set-SPMachineKey and Update-SPMachineKey) to invalidate stolen cryptographic tokens.
- Restart IIS services on all SharePoint servers after key rotation (iisreset.exe).
- Renew all credentials, system secrets, and service accounts that may have been exposed via the malicious ASPX implant.
- Monitor and log access to suspicious SharePoint endpoints such as / _layouts/15/ToolPane.aspx and / _layouts/15/spinstall0.aspx.
- Use network and host-level detection to flag requests with known malicious user agents and IP addresses linked to exploitation campaigns.
Remediation Timeline:
- Immediate (0–2 hrs): Isolate affected servers and begin machine key rotation.
- Within 8 hrs: Apply all available SharePoint patches and restart IIS.
- Within 24 hrs: Confirm no vulnerable SharePoint instances remain in production or staging environments.
Rollback Plan:
- If patching causes operational issues, revert to the last stable SharePoint configuration.
- Maintain rotated machine keys and updated credentials even if rollback occurs, to prevent re-use of stolen tokens.
- Document rollback steps including timestamps, responsible personnel, and version details in your change management system.
Incident Response Considerations:
- Quickly disconnect affected SharePoint servers to stop the attack from spreading.
- Gather logs, traffic data, and file snapshots, focusing on signs of the spinstall0.aspx file or other suspicious tools.
- Check for hidden backdoors, unauthorized tasks, or anything set up to keep access.
- After fixing the issue, improve monitoring for strange activity around admin pages or token use.
- Bring in expert help if needed to make sure everything is fully cleaned up and secure.
Compliance & Governance Notes
Standards Impacted:
- ISO 27001: Controls related to vulnerability management and timely patching (e.g., A.12.6.1).
- NIST SP 800-53: System integrity and flaw remediation requirements (e.g., SI-2).
- PCI-DSS v4.0: Mandates patching critical vulnerabilities within a 30-day window to maintain compliance.
Audit Trail Requirement:
- Capture and archive all SharePoint access logs that show interactions with key vulnerable endpoints, including precise timestamps, client IP addresses, and requested URIs (e.g., / _layouts/15/ToolPane.aspx, / _layouts/15/spinstall0.aspx).
- Keep detailed records of patch application activities, documenting dates, responsible personnel, targeted SharePoint servers, and software versions installed.
- Maintain a controlled change log within your configuration management or IT service management system to track all activities related to machine key rotations and SharePoint patch deployments.
- Provide regular status updates to compliance and security leadership teams until full remediation is confirmed.
Policy Alignment:
- Update vulnerability policies to require quick action on any SharePoint issues, with a focus on fast patching and rotating machine keys.
- Adjust incident response plans to cover attacks using deserialization flaws and malicious ASPX files like spinstall0.aspx.
- Make rotating machine keys a required step after fixing any compromise to block reuse of stolen secrets.
- Strengthen monitoring of SharePoint admin pages and watch for unusual request patterns that may signal an active threat.
Where Can I Find More Information on CVE-2025-53770?
- ^NVD – CVE-2025-53770
- ^Microsoft Security Response Center – CVE-2025-53770 Vulnerability Details
- ^Microsoft Security Blog – Disrupting Active Exploitation of On-Premises SharePoint Vulnerabilities
- ^Microsoft Security Response Center Blog – Customer Guidance for SharePoint Vulnerability CVE-2025-53770
- ^T1190 – Exploit Public-Facing Application
- ^T1548.003 – Abuse Elevation Control Mechanism: Bypass User Account Control
- ^T1078 – Valid Accounts
- ^T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
- ^T1059.001 – Command and Scripting Interpreter: PowerShell
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical vulnerability with severe impact and confirmed active exploitation |
| Attack Vector | Network | Can be exploited remotely over the network via HTTP requests to SharePoint servers |
| Attack Complexity | Low | No special conditions required; attackers can exploit easily without complex prerequisites |
| Privileges Required | None | No prior authentication or elevated permissions needed to execute the attack |
| User Interaction | None | Exploitation occurs without any action from users |
| Scope | Changed | Compromise affects not only SharePoint but can lead to domain-wide access and lateral movement |
| Confidentiality Impact | High | Allows attackers to access all SharePoint content, system files, and steal cryptographic keys |
| Integrity Impact | High | Enables unauthorized code execution and modification of system components |
| Availability Impact | High | Direct denial-of-service impact is minimal or not reported |
