CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation
Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution.
Update July 20: The blog has been updated to include an additional CVE (CVE-2025-53771) as well as preliminary coverage details for SharePoint Subscription Edition and SharePoint Server 2019.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day SharePoint Server vulnerability that has been exploited in the wild.
FAQ
When was the SharePoint exploitation first disclosed?
On July 19, reports emerged that Microsoft SharePoint Servers around the world were under active exploitation. Researchers at Eye Security published a blog post detailing their identification of an “active, large-scale exploitation” that was initially linked to a pair of vulnerabilities in SharePoint dubbed ToolShell.
What are the vulnerabilities associated with ToolShell?
ToolShell was the name given to a pair of vulnerabilities used as part of an exploit chain in SharePoint Server disclosed at Pwn2Own Berlin by security researcher Dinh Ho Anh Khoa of Viettel Cyber Security.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-49706 | Microsoft SharePoint Server Spoofing Vulnerability | 6.3 |
| CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability | 8.8 |
The SharePoint patch for Pwn2Own Berlin has been released - patch ASAP
The exploit need only one request💣
I’d name this bug ToolShell - ZDI did say the endpoint is ToolPane after all😅https://t.co/I5Lwzj0aOx#CVE_2025_49706 #CVE_2025_49704 #SharePoint #Pwn2Own pic.twitter.com/HqGvV61Plw— Khoa Dinh (@_l0gg) July 10, 2025
Was ToolShell actually used in these attacks?
No, Microsoft published a blog post on July 19 that included a new CVE identifier for the zero-day vulnerability used in the attacks detailed by Eye Security.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-53770 | Microsoft SharePoint Server Remote Code Execution Vulnerability | 9.8 |
According to Microsoft, CVE-2025-53770 is a “variant” of one of the ToolShell vulnerabilities, CVE-2025-49706.
Following the publication of our FAQ blog on July 20, Microsoft updated its blog post, creating an additional CVE:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-53771 | Microsoft SharePoint Server Spoofing Vulnerability | 6.3 |
Microsoft says that both CVE-2025-53770 and CVE-2025-53771 were created to provide “more robust protections” than CVE-2025-49704 and CVE-2025-49706.
How severe is the exploitation of CVE-2025-53770?
Successful exploitation of CVE-2025-53770 could grant an attacker the ability to obtain MachineKey configuration details from a vulnerable SharePoint Server to create specially crafted requests that could enable unauthenticated remote code execution.
How widespread are the attacks exploiting CVE-2025-53770?
A post from The Shadowserver Foundation on X confirmed that at least 9,300 SharePoint servers were publicly accessible as of July 20. However, it is important to note that not all 9,300 servers are considered vulnerable.
Alert: SharePoint CVE-2025-53770 incidents! In collaboration with @eyesecurity & @watchtowrcyber we are notifying compromised parties. Read: https://t.co/j1rxtN32iq
~9300 Sharepoint IPs seen exposed daily (just population, no vulnerability assessment): https://t.co/rCFGTrhiDT pic.twitter.com/QEx2sJ3K4X— The Shadowserver Foundation (@Shadowserver) July 20, 2025
Has CVE-2025-53771 been exploited in the wild?
As of July 20, Microsoft’s advisory for CVE-2025-53771 does not include any references to exploitation. If that changes, we will update this blog.
Which threat actors are exploiting CVE-2025-53770?
As of July 20, we do not have any details about the threat actors exploiting CVE-2025-53770.
Is there a proof-of-concept (PoC) available for these vulnerabilities?
There is no PoC for CVE-2025-53770. However, we know that it is a variant of CVE-2025-49706, one of the CVEs in the ToolShell chain. Researchers at CODE WHITE GmbH were able to reproduce the chain and disclosed this confirmation on X (formerly Twitter) on July 14.
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange pic.twitter.com/sPHVVBal3K
— CODE WHITE GmbH (@codewhitesec) July 14, 2025
Additionally, security researcher Soroush Dalili was able to work alongside Google’s Gemini to help identify the Microsoft SharePoint authentication bypass (CVE-2025-49706).
I originally had Gemini expecting a 200 OK instead of a 401, but after dropping a server-side breakpoint so it could use a timeout as the auth signal, it cracked the bypass! 🥈 AI + human teamwork for the win! 🎉
Next: finding the right parameters & deserialization in… https://t.co/uFwK8ANJvz pic.twitter.com/MM916K69um— Soroush Dalili (@irsdl) July 18, 2025
Are patches or mitigations available for CVE-2025-53770 and CVE-2025-53771?
On July 20, Microsoft released patches for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019 that address both CVE-2025-53770 and CVE-2025-53771. The ToolShell exploit chain was patched as part of Microsoft’s July 2025 Patch Tuesday.
Microsoft’s blog post provides mitigation instructions that include configuring AMSI integration in SharePoint Servers that do not have it enabled by default, as well as utilizing Defender Antivirus on all SharePoint servers.
Are there any indicators of compromise for exploitation of CVE-2025-53770?
Yes, there are several indicators of compromise (IoCs) that have been included in the blog post published by Eye Security, including several known IP addresses and user agent strings.
One key indicator of compromise is the creation of a file, spinstall0.aspx, on vulnerable SharePoint Servers. This file is being used to obtain the MachineKey configuration details.
Has Tenable released any product coverage for these vulnerabilities?
When this blog was published on July 20, there were no patches available for CVE-2025-53770. However, Microsoft has since released some patches for CVE-2025-53770 and CVE-2025-53771. A list of Tenable plugins can be found on the individual CVE pages as they’re released:
The ToolShell vulnerabilities (CVE-2025-49704, CVE-2025-49706) were patched as part of Microsoft’s July Patch Tuesday release. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Additionally, Tenable Attack Surface Management customers can identify external-facing assets by leveraging the built-in subscription labeled Microsoft Sharepoint Server - v1.
Get more information
- Microsoft: Customer guidance for SharePoint vulnerability CVE-2025-53770
- Eye Security Blog: ToolShell Mass Exploitation (CVE-2025-53770)
Change Log
Update July 20: The blog has been updated to include an additional CVE (CVE-2025-53771) as well as preliminary coverage details for SharePoint Subscription Edition and SharePoint Server 2019.
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
Forrester Names Tenable a Leader in the Q3 2025 Unified Vulnerability Management Solutions Wave™ Report
“Tenable continues to extend its established vulnerability management offerings into exposure management with its Tenable One platform,” according to the report....
How Exposure Management Can Turn a Torrent of Data into Insight
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we look at the results of a survey taken during a recent Tenable webinar on the greatest cybersecurity challenges....
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation....
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management