{
	"id": "71ebecf7-f711-4b34-adc7-76956f832f43",
	"created_at": "2026-04-06T00:22:36.906888Z",
	"updated_at": "2026-04-10T03:20:44.848165Z",
	"deleted_at": null,
	"sha1_hash": "a88fdba5a5c67dc95c8e55001f305d4308042b11",
	"title": "Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 294283,
	"plain_text": "Proactive Security for CVE-2025-53770 and CVE-2025-53771\r\nSharePoint Attacks\r\nBy By: Trend Micro Research Jul 22, 2025 Read time: 5 min (1347 words)\r\nPublished: 2025-07-22 · Archived: 2026-04-05 16:16:38 UTC\r\nKey takeaways\r\nCVE-2025-53770 and CVE-2025-53771 are vulnerabilities affecting on-premise Microsoft SharePoint\r\nServers, which enables an attacker to upload malicious files and extract cryptographic secrets.\r\nThese vulnerabilities are evolutions of previously patched flaws (CVE-2025-49704 and CVE-2025-49706),\r\nfor which initial vendor-provided remediation was incomplete, enabling attackers to achieve\r\nunauthenticated RCE attacks through advanced deserialization techniques and ViewState abuse.\r\nWe have observed exploit attempts across a wide range of industries, including finance, education, energy,\r\nand healthcare.\r\nSince original publication, we have observed increased use of these vulnerabilities by multiple threat\r\nactors. These threat actors have used integrated these exploits into their attack chains and used these to\r\ndeploy ransomware onto critical infrastructure.\r\nMicrosoft has released security updates for SharePoint Subscription Edition and Server 2019, while a patch\r\nfor Server 2016 is pending. Trend Micro™ TippingPoint™ customers have been protected from these\r\nattacks since May 2025.'\r\nOverview\r\nCVE-2025-53770 and CVE-2025-53771 are a pair of vulnerabilities affecting Microsoft SharePoint Servers.\r\nAttacks exploiting CVE-2025-53770 in the wild were first reported by Eye Security on July 18; these\r\nvulnerabilities are currently being actively exploited to compromise on-premises SharePoint environments\r\nworldwide. Trend™ Research has independently verified these findings.\r\nBoth of these flaws build on CVE-2025-49706 and CVE-2025-49704, the initial vulnerabilities in Microsoft\r\nSharePoint that were disclosed during Pwn2Own Berlin 2025 by Viettel Cyber Security as part of a chained\r\nattack. These were patched as part of the July 2025 Patch Tuesday cycle. However, further analysis revealed that\r\nthe initial patches were not fully complete, which necessitated the release of CVE-2025-53770 and CVE-2025-\r\n53771.\r\nMicrosoft acknowledged these issues in a security bulletin first published on July 19, when patches were made\r\navailable for SharePoint Subscription Edition and 2019. Meanwhile, a patch for SharePoint 2016 is forthcoming\r\nas of writing. The patch for CVE-2025-53770 provides a more comprehensive fix for CVE-2025-49704, while\r\nCVE-2025-53771 does the same for CVE-2025-49706.\r\nTippingPoint customers have been protected against these related vulnerabilities since May, as part of the\r\ndiscoveries made at Pwn2Own Berlin. These discoveries became CVE-2025-49704 and CVE-2025-49706 when\r\nhttps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nPage 1 of 6\n\ncoordinated disclosure was done with Microsoft.\r\nDescription\r\nAttackers exploiting CVE-2025-53770 in on-premise Sharepoint servers aim to target\r\nthe /layouts/15/ToolPane.aspx endpoint, which is initiated through a specially crafted HTTP request featuring a\r\nunique Referer header   /_layouts/SignOut.aspx to circumvent authentication mechanisms, which results in the\r\nuploading of a malicious .aspx file. The weaponized file, named spinstall0.aspx, extracts cryptographic secrets\r\nfrom the SharePoint instance.\r\nUpon extracting these secrets, the threat actors generate valid and signed __VIEWSTATE payloads, which enable\r\nunauthenticated RCE attacks. This exploitation chain makes use of multiple vulnerabilities, including CVE-2025-\r\n49706 and CVE-2025-49704.\r\nFigure 1. Web shell is designed to harvest cryptographic keys including ValidationKey and\r\nDecryptionKey from a system's machineKey settings\r\nHow the exploit unfolds\r\nThe observed attack progresses through the following stages:\r\nAttackers exploit the /layouts/15/ToolPane.aspx endpoint using a carefully crafted HTTP request and a specific\r\nReferer header value of /_layouts/SignOut.aspxto bypass authentication controls.\r\nA malicious ASPX file (spinstall0.aspx) is uploaded to the server. The file is intended to extract sensitive\r\ncryptographic secrets from the SharePoint environment.\r\nThe malicious spinstall0.aspx extracts the server’s MachineKey configuration, which includes the ValidationKey,\r\nwhich is critical for generating valid __VIEWSTATE payloads.\r\nUsing the stolen cryptographic secrets, the attackers employ tools such as ysoserial  can generate valid serialized,\r\n__VIEWSTATE objects, which are then deserialized by SharePoint,  enabling unauthenticated remote code\r\nexecution.\r\nNote that the file spinstall0.aspx has been observed at the following path:\r\nC:\\Program Files\\Common Files\\Microsoft Shared\\Web Server\r\nExtensions\\16\\TEMPLATE\\LAYOUTS\\spinstall0[.]aspx.\r\nTechnical Details\r\nhttps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nPage 2 of 6\n\nThe malicious ASPX files employ reflective code loading through the System.Reflection.Assembly.Load() C#\r\nmethod (TT1620) to expose machineKey settings from web.config. Although these files do not directly execute\r\nadditional code, they leak keys used for authentication and ViewState security, significantly increasing the risks of\r\ntoken forgery and data tampering.\r\nThe Scorecard:ExcelDataSet control in SharePoint can embed a base64-encoded CompressedDataTable payload\r\nwithin a malicious ViewState object—often crafted using tools like ysoserial—leading to remote code execution\r\nvia deserialization.\r\nFigure 2. Malicious POST request used to bypass SharePoint authentication\r\nThe decoded ViewState payloads reference system objects and may execute PowerShell commands. For example,\r\na PowerShell script can be used to decode a base64 string and write its contents to spinstall0.aspx in the\r\nSharePoint LAYOUTS directory.\r\nThe web shell scripts, written in C#, uses internal .NET classes to access SharePoint’s MachineKeySection. This\r\nfacilitates the extraction of critical cryptographic configuration values, including ValidationKey, DecryptionKey,\r\nDecryption, and CompatibilityMode.\r\nhttps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nPage 3 of 6\n\nFigure 3. C# web shell script accessing .NET MachineKeySection to extract SharePoint\r\ncryptographic keys\r\nCurrently, we have observed exploitation attempts across multiple regions, including Asia, Europe, and the United\r\nStates. A wide range of industries have also been targeted, notably finance, education, energy, and healthcare.\r\nInitial Access\r\n(TA0001)\r\nCredential Access\r\n(TA0006)\r\nCommand and Control\r\n(TA0011)\r\nReflective Code Loading\r\n(T1620)\r\nExploit Public-Facing\r\nApplication (T1190)\r\nOS Credential\r\nDumping (T1003)\r\nApplication Layer\r\nProtocol: Web\r\n(T1071.001)\r\nServer Software\r\nComponent: Web Shell\r\n(1505.003)\r\nTable 1. Summary of the MITRE ATT\u0026CK tools, tactics, and procedures used in attacks that exploit CVE-2025-53770 and CVE-2025-\r\n53771\r\nPost-Exploitation Analysis\r\nOur analysis reveals that threat actors are leveraging the initial compromise for comprehensive enterprise\r\nreconnaissance and data theft. The systematic approach to Active Directory enumeration and cross-server lateral\r\nmovement indicates these are not opportunistic attacks, but rather targeted operations with specific objectives. The\r\nuse of password-protected RAR archives with date-filtered log collection (-ta2025-07-01) suggests interest in\r\nrecent activities or specific timeframes. The deployment of debug_dev.js represents an evolution in attack\r\nsophistication, as this file aggregates all web.config files across the SharePoint farm, providing attackers with a\r\ncomprehensive map of the enterprise's web infrastructure, including connection strings, service accounts, and\r\ninternal URLs.\r\nhttps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nPage 4 of 6\n\nSummary\r\nThis sophisticated attack chain demonstrates a fundamental shift in how threat actors are targeting enterprise\r\ninfrastructure. The complete bypass of SharePoint authentication, combined with cryptographic key extraction,\r\ntransforms what should be a protected internal system into an open gateway for attackers. The observed post-exploitation activities reveal a methodical approach that goes far beyond simple web shell deployment - attackers\r\nare harvesting enterprise-wide configurations, mapping Active Directory structures, and establishing multiple\r\npersistence mechanisms across SharePoint farm servers.\r\nRecommendation and Trend solutions\r\nThe active exploitation of CVE-2025-53770 and CVE-2025-53771 illustrates the evolving nature of threat activity\r\ntargeting on-premise Microsoft SharePoint environments. Organizations must proactively apply available patches,\r\nenhance monitoring, and ensure layered security controls are in place to effectively defend against these\r\nadvancing threats.\r\nWe strongly recommend applying the latest security updates from Microsoft for on-premise SharePoint servers\r\n(note that Office 365 and Online servers are not affected), monitoring for the presence of unauthorized ASPX files\r\nin the LAYOUTS directory, auditing configuration files for suspicious changes, and inspecting server logs for\r\nanomalous access patterns—particularly those involving the ToolPane.aspx endpoint and ViewState activity.\r\nFurthermore, while no post-exploitation activity has been observed at this time, we still suggest rotating any\r\npotentially affected keys as a precaution, since exploitation, if it occurred, may have exposed them.\r\nTippingPoint customers have benefited from proactive and multi-layered protection against these vulnerabilities\r\nsince the initial disclosure via the Pwn2Own program in May of 2025.  \r\nSpecific details on more protection rules and filters for Trend customers are available in the corresponding\r\nknowledge base entry.\r\nTrend Vision One™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Threat Insightsproducts, which provide the latest\r\ninsights from Trend Research on emerging threats and threat actors. \r\nThreat Insights App\r\nEmerging Threats:  CVE-2025-53770 - Microsoft SharePoint Vulnerability Explotation In The Wild\r\nHunting Queries\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nCVE-2025-53770: Dropping of Malicious ASPX file using PowerShell\r\neventSubId: 901 AND objectRawDataStr: \"TEMPLATE\\LAYOUTS\\spinstall0.aspx\"\r\nhttps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nPage 5 of 6\n\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled.\r\nIndicators of Compromise (IOCs)\r\nThe IoCs for this blog can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nhttps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html"
	],
	"report_names": [
		"cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a88fdba5a5c67dc95c8e55001f305d4308042b11.pdf",
		"text": "https://archive.orkl.eu/a88fdba5a5c67dc95c8e55001f305d4308042b11.txt",
		"img": "https://archive.orkl.eu/a88fdba5a5c67dc95c8e55001f305d4308042b11.jpg"
	}
}