SharePoint 0-Day RCE Vulnerability Allowing Full Server Compromise

A critical zero-day vulnerability in Microsoft SharePoint servers, designated CVE-2025-53770, that allows attackers to achieve remote code execution without authentication.

The security firm discovered the threat during routine monitoring on July 18, 2025, when their CrowdStrike Falcon EDR deployment flagged suspicious activity on a customer’s on-premises SharePoint server.

The vulnerability, dubbed “ToolShell,” represents a weaponized exploit chain combining two previously demonstrated vulnerabilities from Pwn2Own Berlin 2025: CVE-2025-49706 and CVE-2025-49704.

Microsoft has confirmed active exploitation but has not yet released a patch, instead providing interim guidance for detection and mitigation.

Eye Security’s investigation revealed the scope extends far beyond isolated incidents. The team scanned over 8,000 public-facing SharePoint environments and identified dozens of compromised systems, with exploitation occurring primarily on July 18 around 18:00 UTC and July 19 around 07:30 UTC.

“We developed a feeling that credentials were never used,” the researchers noted after analyzing IIS logs that showed POST requests to /_layouts/15/ToolPane.aspx with unusual referrer headers pointing to /_layouts/SignOut.aspx.

The discovery contradicted initial assumptions about credential-based attacks, revealing instead an authentication bypass vulnerability.

The exploit specifically targets the SharePoint ToolPane functionality, allowing attackers to write files to the server without any authentication.

Security researcher @irsdl discovered that using /_layouts/SignOut.aspx as a valid referrer enables bypassing authentication controls, transforming the known CVE-2025-49706 into an effective zero-day attack vector.

SharePoint 0-Day RCE Vulnerability

The malicious payload demonstrates advanced techniques beyond typical web shells.

Instead of providing interactive command execution, the attackers deploy a specialized ASPX file called spinstall0.aspx designed exclusively to extract cryptographic secrets from SharePoint servers.

The payload leverages .NET reflection to access SharePoint’s internal MachineKey configuration, specifically the ValidationKey used for generating valid __VIEWSTATE payloads.

Once obtained, these cryptographic keys enable attackers to craft legitimate, signed ViewState payloads using tools like ysoserial, effectively turning any SharePoint request into a remote code execution opportunity.

“These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity,” the researchers explained.

The technique mirrors the approach used in CVE-2021-28474, where attackers abused SharePoint’s server-side control parsing logic to inject malicious objects into the page lifecycle.

Immediate Response Required

Microsoft’s Security Response Center has issued official guidance acknowledging the active exploitation while confirming no patch is currently available.

The company’s advisory emphasizes the critical nature of this vulnerability affecting on-premises SharePoint installations.

Eye Security strongly recommends immediate action regardless of patch availability. Organizations should isolate affected SharePoint servers, as firewall blocking proves insufficient since persistence mechanisms may already exist.

Critical steps include renewing all credentials and system secrets potentially exposed through the malicious ASPX payload.

“This is a rapidly evolving, targeted exploit. Organizations with unpatched SharePoint servers should not wait for a fix.

They should assess for compromise immediately,” the researchers warn. The vulnerability poses particular risk because SharePoint often connects to core services like Outlook, Teams, and OneDrive, enabling rapid lateral movement across enterprise networks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.