Executive Summary
Microsoft has identified widespread, active exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, designated ToolShell, tracked as CVE-2025-53770. This zero-day exploit, demonstrated publicly on X just days prior, allows unauthenticated attackers to compromise on-premises SharePoint servers globally, extracting cryptographic secrets and enabling full remote control. Microsoft, and CISA, has confirmed the active exploitation and assigned the CVE, and a patch is currently available for affected versions. Organizations are strongly urged to implement interim mitigations and conduct immediate compromise assessments to defend against ToolShell.
Retail and Hospitality Community Impact
The retail and hospitality sectors heavily rely on SharePoint for internal collaboration, document management, and potentially even customer-facing portals. A successful exploitation of CVE-2025-53770 could lead to complete compromise of critical internal data, intellectual property theft, and disruption of operational workflows. As such, it is highly recommended that affected organizations apply the relevant patch from Microsoft at the earliest opportunity.
Technical Analysis
The ToolShell (CVE-2025-53770) vulnerability represents a critical unauthenticated Remote Code Execution (RCE) chain for on-premises SharePoint servers, originating from a combination of prior Pwn2Own Berlin exploits (CVE-2025-49706 and CVE-2025-49704). The attack bypasses authentication by leveraging a specific HTTP Referrer header (/_layouts/SignOut.aspx) during a POST request to /_layouts/15/ToolPane.aspx, which was publicly fuzzed just before active exploitation began. Once access is gained, the exploit drops a crafted .aspx payload designed specifically to extract the SharePoint server’s MachineKey configuration, including the critical ValidationKey. This ValidationKey is then used with tools like ysoserial to craft fully valid, signed __VIEWSTATE payloads, enabling arbitrary command execution on the server without requiring any administrative credentials.
Indicators of Compromise
Eye Security has publicly provided the following indicators of compromise, which are recommended for earliest available ingestion into your security environment.
Indicator |
Description (Context provided by Eye Security) |
107.191.58[.]76 |
first exploit wave US-based source IP responsible for active exploitation on 18th of July around 18:06 UTC deploying spinstall0.aspx |
104.238.159[.]149 |
second exploit wave US-based source IP responsible for active exploitation on 19th of July around 07:28 UTC |
96.9.125[.]147 |
shared by PaloAlto Unit42, we don’t have context |
103.186.30[.]186 |
shared on X by @andrewdanis , we don’t have context |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 |
user agent string used in active exploitation on 18th & 19th of July |
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 |
URL-encoded user agent string for IIS log searches |
/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx |
POST path used to trigger exploit and push Sharpyshell related to CVE-2025-49706 and/or CVE-2025-53770 |
Referer: /_layouts/SignOut.aspx |
exact HTTP header used in exploiting ToolPane.aspx inside POST request related to CVE-2025-53770 |
GET request to malicious ASPX file in /_layouts/15/spinstall0.aspx |
aspx crypto dumper used by CVE-2021-28474 with tool ysoserial to get RCE on SharePoint |
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 |
SHA256 hash of spinstall0.aspx crypto dumper probably created with Sharpyshell |
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0[.]aspx |
location of the malicious aspx file on Windows Servers running SharePoint |
Unit42 has provided the following indicators of compromise, which are recommended for earliest available ingestion into your security environment.
Indicator |
Description (Context provided by Unit42) |
4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030 |
initial hash observed |
b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70 |
|
fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7 |
targeting the view state |
