CVE‑2025‑53770 - ToolShell
| Vulnerability | CVE‑2025‑53770 (“ToolShell”) |
|---|---|
| Type | Deserialization of untrusted data in on-premises Microsoft SharePoint (CWE‑502) – Remote Code Execution (RCE) |
| Description | A critical zero-day flaw enabling unauthenticated RCE via unsafe deserialization in on-prem SharePoint. The vulnerability allows attackers to weaponize machine key extraction (ValidationKey, DecryptionKey) for persistent access. SharePoint Online / M365 is not affected. |
| Attack Vector / Authentication | Remote network access; no authentication required. Targets internet-facing on-prem SharePoint servers. |
| CVSS v3.1 | 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected Versions | On-premises Microsoft SharePoint Server: Subscription Edition, 2019, 2016, 2013, 2010 (some are out-of-support). SharePoint Online is unaffected. |
| Fixed Versions / Patches | July 2025 Security Updates released for: - Subscription Edition (KB5002768) - SharePoint 2019 (KB5002754) - SharePoint 2016 (KB5002760) |
| Exploit / PoC | Publicly exploited in the wild. Attack chain known as “ToolShell,” involving CVE‑2025‑49706 plus this deserialization flaw. WebPart injection tools exist. |
| Observed Threat Activity | Unit 42 detected exploitation from July 17–22, delivering ransomware payloads (e.g., 4L4MD4R), using phishing chains and key theft. CISA added it to KEV catalog. |
| Detection Ideas | - Monitor for POSTs to /_layouts/15/ToolPane.aspx with spoofed Referer (SignOut.aspx) and WebPart payloads (e.g., CompressedDataTable, ExcelDataSet).- Check for indicators like spinstall0.aspx implants, unusual ASP.NET child processes.- Use WAF logs and Suricata rules for suspicious GET/POST patterns. |
| Mitigation Strategies | - Apply July 2025 patches immediately. - Enable and configure AMSI + Defender Antivirus on all on-prem SharePoint servers. - Rotate ASP.NET MachineKey values post-patch. - Isolate or disconnect vulnerable servers until patched. - Use Defender for Endpoint for post-exploit detection; deploy proactive WAF rules. |
| References | - NVD / CVE Record - Microsoft Customer Guidance Blog - Unit 42 Threat Intelligence - CISA KEV Notice - Cloudflare WAF protection - Arctic Wolf analysis - GitHub PoC Exploit |