1. Executive Summary
CVE-2025-53770 is a critical deserialisation-of-untrusted-data vulnerability in on-premises Microsoft SharePoint Server that enables unauthenticated remote code execution (RCE) over the network. Microsoft confirmed the issue was exploited in the wild as a zero-day, and multiple government and CERT bodies issued urgent mitigation guidance, including key rotation and isolation of exposed servers where patching/AMSI is not feasible. (NVD)
Microsoft’s investigation attributed active exploitation to China-linked threat actors (including Linen Typhoon and Violet Typhoon) and observed a separate China-based cluster (Storm-2603) using the chain to deploy ransomware in some intrusions. (Microsoft)
This activity was tied to an exploit chain commonly referred to as “ToolShell”, with emergency/out-of-band guidance and updates issued in July 2025 following partial fixes in the regular July Patch Tuesday cycle for related vulnerabilities. (Microsoft)
2. Contextual Background
2.1 Nature of the threat (vulnerability details)
- CVE-2025-53770: Deserialisation of untrusted data in on-premises SharePoint Server enabling unauthorised RCE over a network; Microsoft acknowledged exploitation exists in the wild. (NVD)
- Severity: A widely reported CVSS v3 score of 9.8 (Critical). (NHS England Digital)
- Related chain: Reporting and defensive guidance consistently discuss ToolShell as an attack chain involving CVE-2025-53770 and CVE-2025-53771, with CVE-2025-53770 described as addressing a partial fix for CVE-2025-49704 shipped in the scheduled July 2025 updates. (NHS England Digital)
2.2 Threat-actor attribution (confidence)
- Confirmed (per Microsoft reporting): Microsoft stated it observed Linen Typhoon and Violet Typhoon exploiting the vulnerabilities against internet-facing SharePoint servers, and also tracked exploitation by Storm-2603. (Microsoft)
- Likely (corroborated by third-party telemetry): Unit 42 reported infrastructure overlaps between an exploitation cluster it tracks and Microsoft’s Storm-2603 activity. (Unit 42)
2.3 Sector and geographic targeting
- Public reporting described broad targeting across US government, critical sectors, and organisations globally, consistent with mass-scanning and opportunistic exploitation patterns typical of high-impact perimeter RCE chains. (AP News)
- UK guidance explicitly urged UK organisations to take immediate action for affected SharePoint Server products (on-premises), reflecting international concern about exposed deployments. (NHS England Digital)
3. Technical Analysis
3.1 Exploitation flow and observed TTPs (mapped to ATT&CK)
Observed attack pattern (high level):
- Reconnaissance / validation of vulnerable SharePoint endpoints (e.g., requests to SharePoint layout paths) prior to exploitation attempts. (Unit 42)
- Unauthenticated exploitation leading to web shell deployment (notably spinstall0.aspx and variants), enabling extraction of SharePoint MachineKey material and follow-on access. (Microsoft)
- Post-exploitation activity including command execution from IIS worker context, discovery, persistence mechanisms (scheduled tasks/IIS component manipulation), credential theft, lateral movement, and in some cases ransomware deployment. (Microsoft)
MITRE ATT&CK technique mapping (examples from Microsoft’s observed behaviours):
- Initial access / exploitation: T1190 (Exploit Public-Facing Application) (Microsoft)
- Web shell: T1505.003 (Server Software Component: Web Shell) (Microsoft)
- Command execution: T1059.003 (Windows Command Shell) and T1059.001 (PowerShell) (Microsoft)
- Persistence: T1053.005 (Scheduled Task) (Microsoft)
- Defence evasion (registry modification to impair defences): T1112 (Modify Registry) (Microsoft)
- Credential access: T1003.001 (OS Credential Dumping: LSASS Memory) (Microsoft)
- Lateral movement tooling referenced by Microsoft: T1021.002 (SMB/Windows Admin Shares; commonly associated with PsExec-style movement) (Microsoft)
- Impact (ransomware): T1486 (Data Encrypted for Impact) (Microsoft)
3.2 Exploitation status and PoC considerations
- Active exploitation confirmed: Microsoft explicitly stated exploitation was observed, and NVD reflects Microsoft’s statement that an exploit exists in the wild. (Microsoft)
- CISA KEV inclusion: CISA announced addition of CVE-2025-53770 to the Known Exploited Vulnerabilities catalogue (confirmation of in-the-wild exploitation for federal prioritisation). (cisa.gov)
- PoC / public discussion: Third-party reporting indicates exploit information and/or PoC discussion emerged rapidly, contributing to scanning and copy-cat activity; treat any PoC handling as high risk and restrict to controlled testing. (Censys)
4. Impact Assessment
4.1 Severity and scope
- Severity: Critical (CVSS 9.8 cited in UK healthcare-sector alerting) with unauthenticated RCE potential. (NHS England Digital)
- Operational impact: Compromise can extend beyond SharePoint, as attackers may leverage stolen key material and on-host execution to pivot, harvest credentials, and deploy ransomware. (Microsoft)
4.2 Victim profile
- Primary risk concentrates in organisations running internet-facing on-premises SharePoint (2016/2019/Subscription Edition). Cloud SharePoint Online is repeatedly described as not impacted in national guidance. (Canadian Centre for Cyber Security)
5. Indicators of Compromise (IOCs)
5.1 IOC table (only values explicitly published by reputable sources)
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| File (web shell) | spinstall0.aspx (and variants: spinstall.aspx, spinstall1.aspx, etc.) | Malicious script uploaded post-exploitation to retrieve MachineKey data | Microsoft Security Blog (Microsoft) |
| File hash (SHA-256) | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | Hash of spinstall0.aspx web shell | Microsoft Security Blog / Unit 42 overlap (Microsoft) |
| Domain (C2) | update[.]updatemicfosoft[.]com | C2 referenced for a web shell variant that uses HTTP/curl for command retrieval/execution | Microsoft Security Blog (Microsoft) |
| IP address (C2) | 65.38.121[.]198 | C2 IP referenced in observed activity associated with an “xd.exe” reverse proxy tool | Microsoft Security Blog (Microsoft) |
| File | IIS_Server_dll.dll | IIS backdoor file name attributed to Storm-2603 activity | Microsoft Security Blog (Microsoft) |
| File | debug_dev.js | File containing web config data including MachineKey | Microsoft Security Blog (Microsoft) |
| File path | \15\TEMPLATE\LAYOUTS\debug_dev.js and \16\TEMPLATE\LAYOUTS\debug_dev.js | Paths referenced for stolen web configs/MachineKey data | Microsoft Security Blog (Microsoft) |
| IP addresses (suspected exploitation infra) | 96.9.125[.]147, 107.191.58[.]76, 104.238.159[.]149 | IPs observed by Unit 42 delivering payloads / web shell activity in exploitation cluster CL-CRI-1040 | Unit 42 (Unit 42) |
Note: CISA also referenced releasing a Malware Analysis Report (MAR) covering multiple related files across the SharePoint ToolShell chain; consult that MAR for additional hashes/artefacts if accessible in your environment. (cisa.gov)
5.2 Detection guidance (practical hunting)
- Look for web-shell drops in SharePoint layouts directories, especially filenames containing
spinstall,spupdate, or related patterns; Microsoft published Defender hunting guidance to identify suspicious file creation and encoded PowerShell spawned from IIS worker processes. (Microsoft) - Microsoft Defender detections for related components/behaviours include signatures such as Trojan:PowerShell/MachineKeyFinder.DA!amsi and SharePoint-specific detections noted in Microsoft’s customer guidance. (Microsoft)
6. Incident Response Guidance
6.1 Containment, eradication, recovery (priority order)
- Patch immediately across all supported on-prem SharePoint versions identified by Microsoft guidance and national cyber advisories. (Microsoft)
- Enable and correctly configure AMSI (Full Mode) and deploy an AV/EDR (Microsoft highlights Defender capabilities; equivalent products acceptable) to block unauthenticated exploitation and detect post-exploitation tooling. (Microsoft)
- Rotate SharePoint ASP.NET MachineKeys and restart IIS after patching/AMSI enablement (or, if AMSI cannot be enabled, rotate keys after installing the security update as directed). (Microsoft)
- If you cannot patch or deploy AMSI, disconnect public-facing SharePoint servers from the internet (or gate behind authenticated access/VPN) until remediation is complete. (Microsoft)
- Treat exposed instances as potentially compromised where guidance indicates “assume compromise” conditions (e.g., internet accessible during the peak exploitation window) and proceed with full IR actions. (NHS England Digital)
6.2 Forensic artefacts to collect
- IIS logs, SharePoint ULS logs, Windows Event Logs (Security/System/Application), and file-system triage of SharePoint web directories for anomalous
.aspxand unusual DLLs (including filenames referenced above). (Microsoft) - Evidence of
w3wp.exespawningcmd.exe/PowerShell with encoded commands; suspicious scheduled tasks; registry changes consistent with disabling Defender/AV. (Microsoft)
6.3 Lessons learned
- Reduce exposure of on-prem SharePoint (limit internet exposure; enforce authenticated gateways), operationalise rapid emergency patching, and pre-stage incident playbooks for “internet-facing RCE” scenarios. (Microsoft)
7. Threat Intelligence Contextualisation
7.1 Comparisons with similar incidents
- The campaign exhibits the familiar pattern of rapid weaponisation, mass scanning of exposed perimeter services, and post-exploitation monetisation (ransomware) alongside state-linked intrusion activity—a blend Microsoft explicitly noted by observing both nation-state actors and a ransomware-deploying cluster. (Microsoft)
7.2 Full ATT&CK mapping table (observed behaviours)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Unauthenticated exploitation of internet-facing on-prem SharePoint |
| Persistence | T1505.003 | Server Software Component: Web Shell | spinstall0.aspx web shell and variants dropped into SharePoint paths |
| Execution | T1059.001 | PowerShell | Encoded PowerShell used to write/operate web shell payloads |
| Execution | T1059.003 | Windows Command Shell | cmd.exe used for hands-on command execution post-compromise |
| Defence Evasion | T1112 | Modify Registry | Registry modifications described to disable Defender protections |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory | Mimikatz targeting LSASS for credential theft |
| Lateral Movement | T1021.002 | SMB/Windows Admin Shares | PsExec-style movement and Impacket usage described |
| Impact | T1486 | Data Encrypted for Impact | Ransomware deployment observed in some intrusions |
8. Mitigation Recommendations
8.1 Hardening and configuration
- Ensure AMSI integration is enabled and set to Full Mode and verify AV exclusions do not blind scanning of SharePoint/IIS directories. (Microsoft)
- Minimise internet exposure: place SharePoint behind authenticated reverse proxies/VPN; restrict inbound management; enforce MFA for administrative access paths. (Microsoft)
- EDR in block mode (or equivalent), plus monitoring for suspicious IIS worker behaviour and web-shell indicators in SharePoint layouts. (Microsoft)
8.2 Patch management advice
- Highest priority: patch CVE-2025-53770 immediately due to confirmed exploitation and critical severity; follow Microsoft’s and national guidance for supported SharePoint versions and validate the installed KB level. (Microsoft)
- Key rotation is not optional: rotate ASP.NET MachineKeys after patching/AMSI enablement to reduce risk of attacker persistence via stolen key material. (Microsoft)
9. Historical Context & Related Vulnerabilities
- UK-sector alerting linked CVE-2025-53770/53771 to earlier July 2025 scheduled SharePoint fixes, describing CVE-2025-53770 as addressing a partial fix for CVE-2025-49704 and CVE-2025-53771 as addressing a partial fix for CVE-2025-49706. (NHS England Digital)
- This pattern—partial fixes followed by rapid exploit adaptation—reinforces the need to treat follow-on CVEs in the same product family as “hot” and patch quickly, even when you believe you are already covered. (NHS England Digital)
10. Future Outlook
- Expect continued scanning for exposed on-prem SharePoint servers and rapid churn in payload filenames and infrastructure as defenders publish detections—Unit 42 observed attackers adjusting payloads over a short window. (Unit 42)
- Given Microsoft’s observation of both espionage-aligned actors and ransomware deployment, anticipate dual-use exploitation: stealthy persistence/key theft for long-term access alongside smash-and-grab monetisation in opportunistic compromises. (Microsoft)
11. Further Reading
- Microsoft guidance and response:
- Government / national cyber guidance:
- CISA alerting on CVE-2025-53770 KEV addition (cisa.gov)
- Canadian Centre for Cyber Security advisory (CVE-2025-53770) (Canadian Centre for Cyber Security)
- NHS England Cyber Alert (CC-4683) with remediation steps and fixed versions (NHS England Digital)
- Independent CTI analysis:
- Unit 42 analysis of active SharePoint exploitation (CVE-2025-53770) (Unit 42)