What is CVE-2025-53770?
CVE-2025-53770 is a critical security vulnerability in Microsoft’s on-premises SharePoint Server family. Trend Micro+3NVD+3Microsoft+3 The flaw allows an attacker to run arbitrary code on a vulnerable SharePoint server over the network without needing valid credentials. Microsoft+3NVD+3Trend Micro+3
Because this is a remote code execution (RCE) vulnerability and it’s being actively exploited, it’s considered extremely dangerous. CISA+3Unit 42+3Trend Micro+3 Microsoft, CISA, and multiple security vendors have issued alerts and guidance around it. SANS Institute+4Microsoft+4CISA+4
In Plain Terms: How the Attack Works
To explain simply: think of your SharePoint server as a locked building. Normally, to get in, you must show your ID, enter a correct password, etc. CVE-2025-53770 provides a way for attackers to sneak in through a back door that ignores those checks.
Here’s a simplified attack flow:
-
Bypassing authentication
The attacker crafts an HTTP request that spoofs theRefererheader (a part of web requests that tells the server where the request came from). By pretending the request came from a trusted page (e.g./_layouts/SignOut.aspx), SharePoint may accept it and skip usual login checks. Unit 42+3SANS Institute+3Trend Micro+3 -
Uploading a malicious file (web shell)
Through this bypass, the attacker uploads a special.aspxfile (calledspinstall0.aspx) into the SharePoint server. This file acts like a “remote shell” — allowing commands to run on the server from the attacker. SANS Institute+3Trend Micro+3Unit 42+3 -
Stealing cryptographic keys and hijacking ViewState
SharePoint uses cryptographic keys (machine keys) to sign and protect data called “ViewState.” The attacker can extract these keys via the malicious file and then use them to forge valid ViewState payloads (i.e., craft data that the server believes is safe). That enables further exploitation and persistent control. Trend Micro+2Unit 42+2 -
Complete takeover and post-exploitation
Once the attacker has that access and control, they can run arbitrary code, pivot to other systems, steal files, install web shells, or even deploy ransomware. Unit 42+2Trend Micro+2
This vulnerability evolved from previous bugs (CVE-2025-49704 and CVE-2025-49706). The initial patches to fix those flaws turned out to be incomplete, which left room for the exploit that became CVE-2025-53770. CISA+3Trend Micro+3Unit 42+3
Why It’s So Dangerous
-
No credential needed: Attackers don’t need to know usernames or passwords. They can exploit remotely. Microsoft+3NVD+3Unit 42+3
-
Active exploitation: It is already being used in attacks across organizations worldwide. Unit 42+3Unit 42+3CISA+3
-
Deep access: From SharePoint, attackers can reach internal systems, configuration files, and data storage. CISA+3Unit 42+3Trend Micro+3
-
Stolen machine keys = long-term access: Even after patching, if keys were stolen, attackers might still maintain access. That’s why key rotation is critical. CISA+3Microsoft+3Unit 42+3
-
Ransomware and extortion: Some attacks tied to this chain have already included ransomware (e.g. “Warlock”) in compromised systems. Unit 42+1
What You Must Do Now (Action Plan)
Here’s a prioritized checklist for organizations:
| Step | Why | What to Do |
|---|---|---|
| Patch immediately | Fix stops the main vulnerability | Apply Microsoft’s July 2025 updates for SharePoint 2019 & Subscription Edition. For 2016, apply when available. Microsoft+2Trend Micro+2 |
| Rotate machine keys | Prevent attackers who stole keys from reusing them | Use PowerShell or SharePoint tools to generate new machine keys and restart IIS servers. Microsoft+2CISA+2 |
| Enable AMSI (Antimalware Scan Interface) | Helps detect malicious scripts and payloads | Configure SharePoint to use AMSI, ensure antivirus solutions are active. Microsoft+2CISA+2 |
| Deploy EDR / advanced detection | Detect post-exploit activity | Use endpoint detection & response tools to watch for suspicious behavior and module loads. CISA+1 |
| Hunt for indicators of compromise | Confirm whether you’ve been hit | Look for suspicious files (e.g. spinstall0.aspx), unusual ToolPane.aspx POSTs, odd referer headers, and logs indicating payload uploads. CISA+2Unit 42+2 |
| Isolate vulnerable servers | Stop further damage | If patching is delayed or signs of compromise exist, remove public exposure or limit access until mitigated. CISA+2Microsoft+2 |
If your SharePoint infrastructure is exposed to the internet, you should act as if compromise may have already occurred. Unit 42+1
Final Thoughts
CVE-2025-53770 represents a major escalation in the arms race between attackers and defenders. It demonstrates how even well-patched systems can be undermined if patches are incomplete or keys are left unchanged.
For any organization running on-premises SharePoint, this vulnerability is not just a “patch it later” issue — it’s a call to immediate action, threat hunting, and post-incident remediation. If you need help validating your patch status, auditing for compromise, or remediating exposure, we can assist.
Image by Tawanda Razika from Pixabay