ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Analysis Brief Reports
Microsoft SharePoint Vulnerability: CVE-2025-53770
2025.08.04

✅ Report Title: Microsoft SharePoint Vulnerability Report: CVE-2025-53770



✅ Executive Summary:


- On July 19, 2025, Microsoft issued an emergency patch for a critical SharePoint vulnerability (CVE-2025-53770).


- The issue affects on-premise SharePoint instances running below the following versions:
  - Microsoft SharePoint Server Subscription Edition (prior to 16.0.18526.20508)
  - Microsoft SharePoint Server 2019 (prior to 16.0.10417.20037)


- The vulnerability received a CVSSv3.1 score of 9.8 (CRITICAL) and was disclosed and patched the same day.


- On July 18, 2025, active exploitation attempts targeting on-premise SharePoint deployments were observed globally.



📌 What caused the vulnerability?


- CVE-2025-53770 is a remote code execution vulnerability caused by insufficient validation in SharePoint.


- In May 2025, a chained RCE technique combining CVE-2025-49704 (code injection) and CVE-2025-49706 (authentication bypass) was demonstrated at Pwn2Own, later dubbed "ToolShell."
  - These were a code injection and authentication bypass vulnerability, respectively, and were named ToolShell.


- The flaw resides in the /_layouts/15/ToolPane.aspx endpoint, which provides UI components for editing web parts and is typically restricted to authenticated users.


- By crafting a POST request to this endpoint with the HTTP Referer set to /_layouts/SignOut.aspx, SharePoint’s logic assumes the user is in a logout flow and skips critical security checks—leading to insecure deserialization.


- This allows unauthenticated attackers to bypass authentication and execute arbitrary code via malicious payloads.


- Evidence suggests this is a bypass of patches issued on July 9, 2025, for CVE-2025-49704 and CVE-2025-49706.


- Microsoft’s Security Advisory confirms the patch bypass scenario.



📌 What is the attack scenario?


- Attackers likely began developing exploits immediately after the July 9 patches were released.


- Using patch diffing techniques, they identified residual weak points and methods to bypass the implemented mitigations.


- Once successful, attackers scanned for vulnerable SharePoint servers and launched targeted RCE attacks.


- Upon gaining code execution, they accessed internal .NET methods to extract the server’s MachineKey, including its ValidationKey.


- With this key, attackers could craft valid __VIEWSTATE payloads, gain elevated privileges, and persist further RCE access across authenticated endpoints.



✅ Recommended Threat Detection and Mitigation Actions:


- Update detection rules and enable continuous monitoring for related activity.


- Apply the latest security updates:
  - SharePoint Server Subscription Edition 16.0.18526.20508 or later
  - SharePoint Server 2019 16.0.10417.20037 or later


- If immediate patching is not feasible, apply the following mitigations:
  - Filter POST requests to /_layouts/15/ToolPane.aspx when the HTTP Referer is /_layouts/SignOut.aspx
  - If exploitation is suspected, reset all potentially compromised credentials
  - Follow Microsoft’s remediation guidelines thoroughly



🧑‍💻 Report Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request and for QUAXAR subscribers.


News Highlights
Weekly Darkweb in July W4
2025.07.30
Previous
News Highlights
Weekly Darkweb in July W5
2025.08.06
Next
List