Remote Code Execution in Microsoft SharePoint (CVE-2025-53770) — API Security

On July 19, 2025, a critical remote code execution (RCE) vulnerability (CVE-2025-53770, also referred to as ToolShell) was publicly disclosed, impacting on-premises Microsoft SharePoint Server installations. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely by leveraging insecure deserialization techniques. Given the platform’s widespread use and exposure to the internet, the potential for compromise is substantial and growing, especially with confirmed active exploitation in the wild.

Vulnerability Overview

CVE-2025-53770 targets Microsoft SharePoint via a flaw in ViewState deserialization, specifically triggered at the endpoint:

/_layouts/15/ToolPane.aspx

By abusing the Referer header (pointing to /_layouts/SignOut.aspx) and uploading a crafted .aspx file (e.g., spinstall0.aspx), attackers can bypass authentication and execute remote payloads. Once executed, these payloads can extract ASP.NET machine keys (ValidationKey and DecryptionKey) from the server, enabling the creation of malicious ViewState data that the server will accept as legitimate.

This vulnerability falls under “OWASP A08:2021 – Software and Data Integrity Failures,” specifically due to its insecure deserialization. The attack chain may also involve two auxiliary vulnerabilities: CVE-2025-49706 and CVE-2025-49704, which exacerbate the impact.

CVE-2025-53770 is classified as a critical pre-authentication remote code execution vulnerability, with an estimated CVSS score of 9.8, reflecting its ease of exploitation, lack of required privileges, and severe potential impact.

Exploitation in the Wild

Exploit Mechanics

The root cause lies in insecure deserialization via ViewState, specifically the injection of a malicious control such as:

This payload, when deserialized by SharePoint, leads to arbitrary code execution if the attacker already possesses machine keys. Below is a truncated exploit example via curl:

Wallarm Response and Observed Exploitation

Wallarm deployed detection rules shortly after disclosure to identify and block exploitation attempts of CVE-2025-53770. Within hours, Wallarm customers were protected. The rules detect crafted ViewState payloads and abnormal access to the vulnerable endpoint.

Wallarm detected immediate spikes in exploit attempts following the public disclosure:

These figures show rapid adoption of the exploit code by threat actors. Public repositories on GitHub have already published working proof-of-concept payloads, lowering the bar for exploitation even further.

Mitigation 

Wallarm recommends clients:

• Patch affected SharePoint servers immediately
• Rotate ASP.NET cryptographic keys
• Inspect systems for indicators of compromise
• Isolate public-facing SharePoint instances if unpatched

This layered defense ensures both proactive mitigation and forensic readiness.

Conclusion

CVE-2025-53770 is an example of the critical risks posed by pre-authentication RCE vulnerabilities in widely exposed platforms like Microsoft SharePoint. While patching and key rotation are essential, they alone are not sufficient to defend against rapidly evolving threats.

A Web Application and API Protection (WAAP) solution is vital to a multilayered security strategy, providing virtual patching, real-time threat detection, and attack surface protection, especially during the high-risk period between disclosure and remediation. Wallarm’s rapid response to this vulnerability illustrates how WAAP can effectively close the gap, blocking exploit attempts before they impact critical systems.

Risk Summary

• Pre-auth RCE with high reliability
• Targets a widely-used enterprise collaboration platform
• Potential for data theft, lateral movement, and persistence

Public Exposure: Shodan Insights

As of publication, Shodan search results show 16,405 internet-facing SharePoint instances, many of which are likely vulnerable. This highlights the scale of exposure and the urgency of remediating public deployments.

References