blog
Published
July 21, 2025

CVE-2025-53770 Unauthenticated SharePoint RCE ("ToolShell") Exploit Uncovered

15

Minute Read

Vulnerability Research

Overview

A critical unauthenticated remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server is now under mass exploitation in the wild, putting organizations at high risk. This flaw, nicknamed "ToolShell," allows unauthorized remote code execution (RCE) on SharePoint servers with no authentication required1. Microsoft has confirmed active attacks in the wild and assigned CVE-2025-53770 as a variant of a recently patched SharePoint bug2. SharePoint Online (Microsoft 365 cloud) is not affected2, but on-premises SharePoint 2013, 2016, 2019, and Subscription Edition deployments are at risk. In this blog, we explain how the exploit works, the forensic evidence it leaves behind, and how to detect it. We also provide a Sigma rule to help defenders identify this attack in their environments.

Background

On July 18-19, 2025, threat actors began mass exploiting a new SharePoint RCE exploit chain in the wild3. Original reports from Eye Security and Microsoft observed that this attack combined two SharePoint vulnerabilities:

  • CVE-2025-49706 – SharePoint Authentication Bypass (Spoofing): A flaw in SharePoint's authentication mechanism (CVSS 6.3) that could allow bypassing normal auth checks2.
  • CVE-2025-49704 – SharePoint Code Injection (RCE): A high-severity code injection bug (CVSS 8.8) that allows arbitrary commands on the server, originally requiring authentication3.

These were initially demonstrated by researchers from Code White GmbH at Pwn2Own Berlin in May 20254. When chained together, they enable a fully unauthenticated RCE, which has been dubbed "ToolShell" by the community3. Microsoft's advisory refers to CVE-2025-53770 as “a variant of CVE-2025-49706” due to the authentication bypass element4. Currently there is no official patch is available at the time of writing; Microsoft is still testing a fix1,2.

Impact: A successful CVE-2025-53770 exploit gives attackers system-level control of the SharePoint web server process. They can execute arbitrary code, install web shells or malware, steal sensitive SharePoint data, and potentially pivot deeper into the network. This 0-day presents a high-impact risk (CVSS 9.8 critical)3.

Readiness Assessment

Thawd clients can now validate their defenses against CVE-2025-53770 using a newly released simulation from our attack chain library. This scenario reproduces ToolShell web shell behavior observed in the wild like the unauthorized file drops, and PowerShell execution via w3wp.exe. By running this simulation, customers can assess both preventive controls (e.g., application whitelisting, EDR blocking) and detection logic (e.g., EDR and SIEM correlation) in a safe and controlled simulation.

CVE-2025-53770 Added to SimLight

Mitigation

  1. Enable SharePoint AMSI Integration & Defender AV: Microsoft strongly recommends enabling AMSI (Antimalware Scan Interface) integration on SharePoint servers and running Microsoft Defender Antivirus with up-to-date signatures2. AMSI integration for SharePoint (available by default since the Sept 2023 update for SP 2016/2019 and in SharePoint Subscription Edition 23H2) helps detect and block malicious scripts and payloads in the SharePoint context2. In this case, it can prevent an unauthenticated attacker from exploiting the vulnerability by scanning and stopping the malicious requests. If not already enabled, refer to Microsoft's documentation to configure AMSI in SharePoint2.
  2. Isolate or Disable SharePoint Servers (Temporary): If you cannot immediately protect the server via AMSI and AV, consider disconnecting the SharePoint server from the internet or blocking external access until a patch is available2. This breaks the attack chain for external threats (though note insiders could still attempt it). In extreme cases, if you suspect compromise, taking the server offline might be necessary to prevent further attacker actions and to conduct forensics safely.
  3. Enforce Pre-Authentication with an Authentication Proxy: The vulnerability is exploitable without authentication, making pre-authentication controls a valuable mitigation layer. Deploy an authentication proxy to enforce authentication before access to vulnerable SharePoint endpoints. This adds a barrier for unauthenticated attackers, reducing the risk window until a patch is available.
  4. Apply Updates When Available: Microsoft is working on a security patch for CVE-2025-53770 as of this writing2. Monitor the MSRC advisory3 and apply the patch as soon as it is released. Prior vulnerabilities (CVE-2025-49704/49706) were addressed in the July 2025 Patch Tuesday4, but this variant requires a new fix. Patching will remove the underlying vulnerabilities; however, note that patching alone will not remove any backdoors or stolen keys left by attackers, so you must also thoroughly investigate and remediate any signs of compromise.

Detection (Sigma Rule)

To detect CVE-2025-53770 exploitation, the following Sigma rules flag suspicious w3wp.exe activity including .aspx file drops in SharePoint paths, child process execution (e.g., PowerShell), and outbound connections to sensitive ports. These rare behaviors suggest ToolShell activity and can be integrated into your SIEM for early detection.

Suspicious ASPX File Creation in SharePoint Paths

1title: Suspicious ASPX File Creation in SharePoint Paths
2id: b3ad3c0f-c749-47a1-a37e-b0491ccae775
3status: experimental
4description: Detects creation of .aspx files in SharePoint-related directories, which may indicate web shell deployment related to CVE-2025-53770.
5author: Thawd Lab
6date: 2025/07/20
7tags:
8  - CVE-2025-53770
9logsource:
10  product: windows
11  category: file_event
12detection:
13  selection:
14    TargetFilename|contains: '\TEMPLATE\LAYOUTS\'
15    TargetFilename|endswith: '.aspx'
16    Image|endswith: '\w3wp.exe'
17  condition: selection
18level: high

Suspicious Child Process Spawned by W3wp.exe

1title: Suspicious Child Process Spawned by w3wp.exe
2id: b3ad3c0f-c749-47a1-a37e-b0491ccae776
3status: experimental
4description: Detects suspicious child processes launched from w3wp.exe, the IIS worker process used by SharePoint, which may indicate exploitation or web shell activity.
5author: Thawd Lab
6date: 2025/07/20
7tags:
8  - CVE-2025-53770
9logsource:
10  product: windows
11  category: process_creation
12detection:
13  selection:
14    ParentImage|endswith: '\w3wp.exe'
15    Image|endswith:
16      - 'cmd.exe'
17      - 'powershell.exe'
18      - 'powershell_ise.exe'
19      - 'cscript.exe'
20      - 'wscript.exe'
21      - 'mshta.exe'
22  condition: selection
23level: high

W3wp.exe Network Connection to Sensitive Internal Ports

1title: w3wp.exe Network Connection to Sensitive Internal Ports
2id: b3ad3c0f-c749-47a1-a37e-b0491ccae777
3status: experimental
4description: Detects w3wp.exe establishing connections to internal ports like RDP, SSH, or LDAP, potentially post-exploitation activities.
5author: Thawd Lab
6date: 2025/07/20
7tags:
8  - CVE-2025-53770
9logsource:
10  product: windows
11  category: network_connection
12detection:
13  selection:
14    Initiated: true
15    Image|endswith: '\w3wp.exe'
16    DestinationPort:
17      - 3389  # RDP
18      - 22    # SSH
19      - 389   # LDAP
20      - 636   # LDAPS
21  condition: selection
22level: high

How this helps: These rules detect key signs of CVE-2025-53770 exploitation in SharePoint, including unusual .aspx file drops, child processes spawned by w3wp.exe, and connections to internal ports like RDP or LDAP. Such behavior is rare in normal SharePoint use, making these detections high-confidence with low false positives.

Note: In addition to endpoint-based detection, consider searching your IIS logs for the patterns described earlier (e.g., ToolPane.aspx access with no authenticated user, or any hits to spinstall0.aspx). Those can be turned into custom queries or detection rules in your logging platform. Network monitoring tools (NIDS/NIPS) can also be used - for example, a Suricata rule might detect a URI containing /ToolPane.aspx?DisplayMode=Edit" with a suspicious referrer. Combining network, application log, and endpoint telemetry increases confidence in detecting this exploit.

Conclusion

CVE-2025-53770 is a critical unauthenticated RCE flaw actively exploited in the wild. Until a patch is released, organizations should apply available mitigations, monitor for suspicious activity using the provided Sigma rules, and validate their defenses with safe simulations. Thawd LAB will continue to track this threat and support defenders with timely insights and tools.

While a patch is in development1, the window for attackers remains open. Staying proactive and vigilant is essential. Thawd Security will continue monitoring this threat and helping clients stay protected against emerging exploits. Defense-in-depth, early detection, and fast response are critical to minimizing the impact of zero-day attacks like CVE-2025-53770.

Sources

  1. NVD Entry – CVE-2025-53770
    National Vulnerability Database entry including CVSS score and technical details.
  2. Microsoft MSRC Advisory – CVE-2025-53770
    Microsoft’s official guidance on CVE-2025-53770, including mitigation recommendations and patch tracking.
  3. Eye Security – SharePoint Under Siege: ToolShell Mass Exploitation
    Technical breakdown of the ToolShell exploit chain, observed activity, and payload analysis.
  4. CODE WHITE GmbH – Original Researchers
    Security research team who first demonstrated the chained vulnerabilities at Pwn2Own Berlin 2025.
Thawd Labs
Copy link

Related articles

Thawd Satruday
June 4, 2025

Thawd Saturday: T1543.003 Windows Services

Explore Windows Services, how attackers misuse them, and learn detection and defense strategies.
Read more

See Thawd In Action

Submit a request and we'll share answers to your top security validation and exposure management questions.
Contact Us
Arrow icon