Skip to main content
Back to Threat Intelligence
July 21, 2025Critical AdvisoryBy Matt Johnson

CVE-2025-53770: "ToolShell" RCE Hits On-Prem SharePoint Servers

CVSS 9.8 Critical - Unauthenticated Remote Code Execution - Actively Exploited

A critical deserialization vulnerability in Microsoft SharePoint on-premises is being actively exploited in the wild. Threat actors have been deploying stealthy backdoors since July 18–19. If you run on-prem SharePoint, this requires immediate action.

Summary

A critical remote code execution vulnerability - CVE-2025-53770 - has emerged targeting on-premises Microsoft SharePoint. Discovered as part of an attack chain dubbed "ToolShell," this issue allows unauthenticated, network-based code execution via deserialization of untrusted data. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog.

Severity

9.8

CVSS v3.1 Score

Critical

CISA KEV

Added July 20, 2025

Known Exploited

Unauthenticated

No credentials required

Network-based RCE

Attack in the Wild

Security researchers at Eye Security and SANS ISC report that threat actors have exploited this flaw since July 18–19, 2025, deploying stealthy backdoors to extract MachineKey secrets (e.g., spinstall0.aspx) and maintain persistent access on compromised servers.

Attack Timeline

July 18–19, 2025

Active exploitation begins - backdoors deployed to extract MachineKey secrets

July 20, 2025

CISA adds CVE-2025-53770 to Known Exploited Vulnerabilities (KEV) catalog

July 21, 2025

Microsoft releases emergency patches for SharePoint 2019 and Subscription Edition

Pending

SharePoint Server 2016 patch status - support remains under review

Known Attacker Infrastructure

Monitor and block the following IPs reported active during the initial exploitation window (July 18–19):

107.191.58[.]76104.238.159[.]14996.9.125[.]147

Affected Systems

Vulnerable (On-Premises)

  • SharePoint Server 2016
  • SharePoint Server 2019
  • SharePoint Subscription Edition

Not Affected

  • SharePoint Online (Microsoft 365)

Important Note

If your organization uses SharePoint Online / Microsoft 365, you are not affected by this vulnerability. This only impacts self-hosted, on-premises SharePoint deployments.

Mitigations & Immediate Steps

Until official patches are fully deployed across all affected versions, organizations should take the following actions immediately:

  • Enable AMSI integration and deploy Microsoft Defender AV on all SharePoint servers.
  • If AMSI is not available, disconnect affected servers from the internet immediately.
  • Update intrusion prevention and firewall rules to block known exploit patterns.
  • Monitor for HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.
  • Block attacker IPs active July 18–19: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147.
  • Implement comprehensive logging, audit admin privileges, and improve event detection capabilities.

Patching Status & Long-Term Fixes

Microsoft released emergency updates on July 21, 2025 for SharePoint Server 2019 and Subscription Edition. Support for SharePoint Server 2016 patches remains pending.

Recommended Patching Actions

  • Apply the July 2025 Security Updates immediately across all supported versions.
  • Rotate ASP.NET MachineKeys and perform a full IIS restart once patches are applied.
  • Deploy Microsoft Defender for Endpoint to detect anomalous behaviors and indicators of compromise.
  • Conduct a threat hunt for known backdoor files (e.g., spinstall0.aspx) in /_layouts/ directories.

Final Word

If you manage on-premises SharePoint, treat this as an urgent priority. Ensure mitigation measures are live, apply patches immediately, and hunt for post-exploit indicators of compromise. With threat actors actively leveraging "ToolShell," you cannot afford to wait.

For detailed remediation guidance, follow Microsoft's Customer Guidance via the Microsoft Security Response Center and CISA's official alert and KEV notice.

Quick Reference Checklist

  • Patch SharePoint 2019 / Subscription Edition with July 21, 2025 emergency update
  • Enable AMSI + Microsoft Defender AV on all SharePoint servers
  • Rotate ASP.NET MachineKeys and restart IIS post-patch
  • Block attacker IPs and monitor for ToolPane.aspx exploit requests
  • Deploy Defender for Endpoint for post-exploit behavioral detection
  • Hunt for unauthorized .aspx files in /_layouts/ directories

About SOClogix

SOClogix specializes in providing cyber threat intelligence, 24/7 monitoring, and managed detection and response (MDR) tailored for SMBs and mid-market organizations. Our mission is to help businesses stay ahead of evolving threats with actionable intel, proactive defense, and rapid incident response.

If your organization needs help assessing SharePoint exposure, responding to active threats, or enhancing your security posture, the experts at SOClogix are here to help.

Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →
CVE-2025-53770ToolShellSharePointRCEZero-DayCISA KEVMicrosoftOn-PremisesPatch Now