Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks
CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote code execution through advanced deserialization and ViewState abuse.
Save to Folio
Key takeaways
- CVE-2025-53770 and CVE-2025-53771 are vulnerabilities affecting on-premise Microsoft SharePoint Servers, which enables an attacker to upload malicious files and extract cryptographic secrets.
- These vulnerabilities are evolutions of previously patched flaws (CVE-2025-49704 and CVE-2025-49706), for which initial vendor-provided remediation was incomplete, enabling attackers to achieve unauthenticated RCE attacks through advanced deserialization techniques and ViewState abuse.
- We have observed exploit attempts across a wide range of industries, including finance, education, energy, and healthcare.
- Microsoft has released security updates for SharePoint Subscription Edition and Server 2019, while a patch for Server 2016 is pending. Trend Micro™ TippingPoint™ customers have been protected from these attacks since May 2025.
Overview
CVE-2025-53770 and CVE-2025-53771 are a pair of vulnerabilities affecting Microsoft SharePoint Servers. Attacks exploiting CVE-2025-53770 in the wild were first reported by Eye Security on July 18; these vulnerabilities are currently being actively exploited to compromise on-premises SharePoint environments worldwide. Trend™ Research has independently verified these findings.
Both of these flaws build on CVE-2025-49706 and CVE-2025-49704, the initial vulnerabilities in Microsoft SharePoint that were disclosed during Pwn2Own Berlin 2025 by Viettel Cyber Security as part of a chained attack. These were patched as part of the July 2025 Patch Tuesday cycle. However, further analysis revealed that the initial patches were not fully complete, which necessitated the release of CVE-2025-53770 and CVE-2025-53771.
Microsoft acknowledged these issues in a security bulletin first published on July 19, when patches were made available for SharePoint Subscription Edition and 2019. Meanwhile, a patch for SharePoint 2016 is forthcoming as of writing. The patch for CVE-2025-53770 provides a more comprehensive fix for CVE-2025-49704, while CVE-2025-53771 does the same for CVE-2025-49706.
TippingPoint customers have been protected against these related vulnerabilities since May, as part of the discoveries made at Pwn2Own Berlin. These discoveries became CVE-2025-49704 and CVE-2025-49706 when coordinated disclosure was done with Microsoft.
Description
Attackers exploiting CVE-2025-53770 in on-premise Sharepoint servers aim to target the /layouts/15/ToolPane.aspx endpoint, which is initiated through a specially crafted HTTP request featuring a unique Referer header /_layouts/SignOut.aspx to circumvent authentication mechanisms, which results in the uploading of a malicious .aspx file. The weaponized file, named spinstall0.aspx, extracts cryptographic secrets from the SharePoint instance.
Upon extracting these secrets, the threat actors generate valid and signed __VIEWSTATE payloads, which enable unauthenticated RCE attacks. This exploitation chain makes use of multiple vulnerabilities, including CVE-2025-49706 and CVE-2025-49704.
How the exploit unfolds
The observed attack progresses through the following stages:
Attackers exploit the /layouts/15/ToolPane.aspx endpoint using a carefully crafted HTTP request and a specific Referer header value of /_layouts/SignOut.aspxto bypass authentication controls.
A malicious ASPX file (spinstall0.aspx) is uploaded to the server. The file is intended to extract sensitive cryptographic secrets from the SharePoint environment.
The malicious spinstall0.aspx extracts the server’s MachineKey configuration, which includes the ValidationKey, which is critical for generating valid __VIEWSTATE payloads.
Using the stolen cryptographic secrets, the attackers employ tools such as ysoserial can generate valid serialized, __VIEWSTATE objects, which are then deserialized by SharePoint, enabling unauthenticated remote code execution.
Note that the file spinstall0.aspx has been observed at the following path:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0[.]aspx.
Technical Details
The malicious ASPX files employ reflective code loading through the System.Reflection.Assembly.Load() C# method (TT1620) to expose machineKey settings from web.config. Although these files do not directly execute additional code, they leak keys used for authentication and ViewState security, significantly increasing the risks of token forgery and data tampering.
The Scorecard:ExcelDataSet control in SharePoint can embed a base64-encoded CompressedDataTable payload within a malicious ViewState object—often crafted using tools like ysoserial—leading to remote code execution via deserialization.
The decoded ViewState payloads reference system objects and may execute PowerShell commands. For example, a PowerShell script can be used to decode a base64 string and write its contents to spinstall0.aspx in the SharePoint LAYOUTS directory.
The web shell scripts, written in C#, uses internal .NET classes to access SharePoint’s MachineKeySection. This facilitates the extraction of critical cryptographic configuration values, including ValidationKey, DecryptionKey, Decryption, and CompatibilityMode.