Microsoft SharePoint Server, deserialization of untrusted data RCE (ToolShell)
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthenticated attacker to execute arbitrary code over the network. The flaw is a patch bypass of CVE-2025-49704/49706 that lets attackers steal the server ASP.NET MachineKey and forge __VIEWSTATE payloads for persistent remote code execution and full content access. Microsoft confirmed active in-the-wild exploitation prior to the fix.
Overview
CVE-2025-53770, part of the "ToolShell" exploit chain, is a critical unauthenticated remote code execution vulnerability in on-premises Microsoft SharePoint Server. It is a bypass of the earlier CVE-2025-49704 / CVE-2025-49706 pair: attackers reach a deserialization sink to extract the server's ASP.NET cryptographic MachineKey, then forge signed __VIEWSTATE payloads to run code at will. Microsoft observed mass in-the-wild exploitation in July 2025 against thousands of internet-facing servers before patches were complete. SharePoint Online (Microsoft 365) is not affected.
Technical Details
The attack abuses an authentication/deserialization weakness reachable via the ToolPane.aspx endpoint (with a crafted Referer). Once an attacker recovers the ValidationKey and DecryptionKey from the SharePoint MachineKey, they can sign arbitrary serialized .NET objects. SharePoint then deserializes the forged __VIEWSTATE, instantiating attacker-controlled gadget chains that execute commands as the SharePoint service account. Because the secret is the server's signing key, exploitation is persistent: simply patching does not invalidate keys an attacker has already exfiltrated.
Impact
- Unauthenticated RCE on the SharePoint server with service-account privileges.
- Persistent forged access: stolen MachineKeys let attackers re-enter even after patching until keys are rotated.
- Data theft and lateral movement: full access to site content, plus pivoting to connected services (Outlook, Teams, OneDrive) and on-prem identity.
- Observed operators include Storm-2603 (deploying ransomware) and the China-nexus actors Microsoft tracks as Linen Typhoon and Violet Typhoon.
Mitigation
- Patch immediately to the July 2025 security updates: SharePoint Subscription Edition build 16.0.18526.20508, 2019 build 16.0.10417.20037, 2016 build 16.0.5513.1001 or later.
- Rotate the SharePoint MachineKeys after patching (PowerShell
Update-SPMachineKey/ Set-SPMachineKey, theniisreset) - this is mandatory, not optional. - Enable AMSI integration in Full Mode and ensure Microsoft Defender Antivirus (or equivalent) is running on all SharePoint servers.
- If you cannot patch immediately, disconnect affected servers from the internet until updated.
Detection
- Hunt for POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Editwith aRefererof/_layouts/SignOut.aspx. - Look for the web shell
spinstall0.aspx(and variants) written to the LAYOUTS directory. - Review IIS logs and Defender detections for the period before patching; CISA added the CVE to the KEV catalog on July 20, 2025.