Impact & Risk:

  • Severity: Rated Critical (CVSS 9.8).
  • Affected Systems: Microsoft SharePoint (on-prem).
  • Business Risk: Exploitation could lead to unauthorized system control, data exfiltration, and lateral movement within customer environments.

Cynet’s Response:

  • Detections Deployed: The Research team, in collaboration with CyOps, has implemented enhanced detection across all protection layers to identify and alert on exploitation attempts in real time.
  • Active Monitoring: Continuous monitoring of customer environments is underway to detect any indicators.

Vulnerability Timeline

  • July 19, 2025 – CVE publicly disclosed and initial guidance issued
  • July 20, 2025 – Security updates released for:
    • Microsoft SharePoint Server Subscription Edition
    • Microsoft SharePoint Server 2019

How CVE-2025-53770 Works & Threat Actors Activity

CVE-2025-53770 is a critical, unauthenticated, low-complexity, high-impact remote code execution vulnerability in on-premises Microsoft SharePoint Server that is already being leveraged in real-world attacks.

Vulnerability Summary:

  • Component: Microsoft SharePoint (on-prem)
  • Endpoint (URL on the SharePoint): /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Attack Vector: POST with a fake “Referer” header causes authentication bypass
  • Impact: Full remote code execution and complete server takeover, all without credentials or user interaction.

CVE-2025-53770 allows an unauthenticated threat ac to abuse SharePoint’s legacy ToolPane endpoint by sending a crafted POST—with a forged “Referer” header—to /_layouts/15/ToolPane.aspx?DisplayMode=Edit. SharePoint trusts that request, skips its normal checks, and lets the threat actors:

  1. Upload an ASPX web shell (seen in the wild as spinstall0.aspx) into the server’s Layouts folder (\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\, \Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\).
  2. Steal the site’s secret keys (ValidationKey and DecryptionKey) via that ASPX web shell from web.config.
  3. Forge a valid “__VIEWSTATE” payload embedding threat actors’ supplied code.

When SharePoint processes this forged “__VIEWSTATE”, it deserializes and runs the threat actor’s commands, granting full control of the server (full remote code execution with no valid credentials required).

The malicious execution flow seen in the wild typically looks like this:

  • w3wp.exe > cmd.exe > PowerShell.exe

The IIS worker process (w3wp.exe) spawns a Windows command shell, which in turn launches PowerShell with a Base64-encoded script with -EncodedCommand parameter.

The encoded PowerShell extract ValidationKey/DecryptionKey and with the web shell and forged “__VIEWSTATE” in place, the threat actors can run arbitrary commands as the IIS process, read or modify any data, move laterally, and maintain persistent access.

Based on real-world exploitation of CVE-2025-53770, the following Indicators of Compromise (IOCs) have been observed:

  • Suspicious POST to ToolPane.aspx:
    •  /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Web shell file creation location:
    • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\
    • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\
  • Known Web Shell Payload Name: spinstall0.asp
  • Process-chain spawning:
    • Event logs showing the IIS worker process (w3wp.exe) spawning cmd.exe, which then launches PowerShell.exe -EncodedCommand …
  • Malicious IPs:
    • 107.191.58[.]76
    • 104.238.159[.]149
    • 96.9.125[.]147
    • 45.77.155[.]170
  • Malicious Web Shell File (SHA256):
    • 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
    • 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
    • 27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014
    • 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2
    • b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93


Cynet All-in-One platform provides Threat Hunting capabilities that allow hunting the above IOCs:

Cynet All-in-One Detection Alert

Cynet All-in-One 360 detects malicious web shell file patterns related to CVE-2025-53770 —it immediately generates a high-severity alert mapped to MITRE ATT&CK T1505 (Server Software Component):

4. Mitigation Guidance

Microsoft and CISA recommend implementing the following:

  • Apply July 2025 Security Updates for all supported on-prem SharePoint versions immediately.
  • Enable AMSI integration with Microsoft Defender across all SharePoint servers. This blocks the exploit path and provides active detection.
  • Disconnect SharePoint servers from the internet if AMSI cannot be enabled.
  • Monitor Microsoft’s Update Guide for ongoing patches, especially SharePoint 2016.

Note: Microsoft 365 SharePoint Online is not impacted.

Are Cynet customers protected?[MD1] 

Yes. Cynet customers are protected as long as the Cynet agent is deployed on the affected SharePoint servers and protection settings are aligned with Cynet’s Best Practices. Cynet will continue to monitor the threat landscape and update detection logic as new indicators and techniques emerge, but here’s how Cynet helps:

  • CyAI, Cynet’s AI-based threat detection engine, continuously analyzes activity for patterns associated with known and emerging threats targeting SharePoint.
  • Behavioral protection – identifies malicious behavior patterns during exploitation attempts.
  • Memory-based attack detection – detects in-memory techniques often used in SharePoint exploits.
  • Exploitation technique prevention – blocks known exploitation methods proactively.
  • CyOps, Cynet’s 24/7 MDR team, actively monitors for signs of exploitation and will alert and assist customers in real time if any suspicious activity is detected.

Customers should ensure that the Cynet agent is deployed on all relevant SharePoint servers and that all detection mechanisms are enabled and updated in their security policy.