On July 19, 2025, Microsoft Security Response Center published advisory MSRC CVE-2025-53770 disclosing a critical deserialization-of-untrusted-data vulnerability in on-premises Microsoft SharePoint Server. CISA added the CVE to its Known Exploited Vulnerabilities catalog on July 20, 2025, naming the active campaign "ToolShell" after the /ToolPane.aspx endpoint targeted by exploit traffic. By July 22, Eye Security and Microsoft Threat Intelligence had documented compromises at more than 75 organizations globally across government, energy, education, and finance. SharePoint Online is not affected — this is an on-prem-only emergency, but for the thousands of enterprises still running SharePoint Subscription Edition, 2019, or 2016 on-prem, it is the most urgent patch event of the year.
What does the vendor advisory say?
Microsoft describes CVE-2025-53770 as a spoofing + unsafe deserialization chain that allows an unauthenticated remote attacker to send a crafted POST request to the SharePoint Web Services and execute arbitrary code in the context of the SharePoint application pool identity (typically NT AUTHORITY\IUSR or a domain service account). The CVSS v3.1 base score is 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The MSRC advisory explicitly notes that exploitation can extract the SharePoint machine keys (ValidationKey and DecryptionKey from MachineKey.config), which means that even after patching, attackers who pre-stole the keys can still forge __VIEWSTATE payloads and re-enter the environment. Microsoft therefore mandates a two-step remediation: (1) install the cumulative KB update, (2) rotate the machine keys and reset IIS.
Which versions are affected and which are patched?
Affected products and the corresponding July 2025 fix packages:
- SharePoint Server Subscription Edition — install KB5002768 (build 16.0.18526.20424)
- SharePoint Server 2019 — install KB5002754 (build 16.0.10417.20027)
- SharePoint Server 2016 — install KB5002760 (build 16.0.5508.1000) shipped on July 22 after Microsoft initially had no SharePoint 2016 patch available at disclosure
SharePoint Foundation 2013 reached end-of-life in April 2023 and will not receive a patch — Microsoft's guidance for any SharePoint 2013 instance still online is to disconnect it from untrusted networks immediately and accelerate migration. Microsoft also issued out-of-band updates KB5002744 and KB5002752 a week before the public CVE for partial protection; defenders must verify both the out-of-band and the July 22 cumulative are installed via Get-SPProductVersions in SharePoint Management Shell.
Is it in CISA KEV and what is the EPSS score?
CISA added CVE-2025-53770 to KEV on July 20, 2025, with a remediation due date of July 21, 2025 — a one-day window matching the speed at which the vendor patches dropped. The KEV entry was paired with CVE-2025-53771 (a related authentication bypass leveraged in the same ToolShell exploit chain). EPSS for CVE-2025-53770 climbed from 0.08 on July 19 to 0.94 by July 23, the steepest rise CISA tracked in the first half of 2025. CISA AA25-201A includes the full IOC list and a 24-hour incident reporting requirement for federal civilian executive branch agencies; commercial enterprises should treat any internet-reachable SharePoint farm without the July 22 KB as already compromised until proven otherwise.
How do you find vulnerable instances in your SBOM?
SharePoint farms can be enumerated through SharePoint Management Shell, but for SBOM-driven inventories, ingest the IIS application pool manifests, ASP.NET binary hashes, and SharePoint product manifests from each WFE (web front-end) server. Safeguard's saved query for this campaign:
# Identify SharePoint installs missing the July 2025 KB packages
safeguard scan --cve CVE-2025-53770 --cve CVE-2025-53771 \
--product sharepoint-server
# Show only internet-exposed farms with /ToolPane.aspx reachable
safeguard assets list \
--filter "vendor=microsoft AND product=sharepoint-server AND exposure=internet" \
--include-cve CVE-2025-53770
For lighter-weight enumeration, the Microsoft-supplied Test-SPCVE2025-53770.ps1 script (downloadable from MSRC) checks build numbers and machine-key rotation timestamps across an entire farm in one pass. Cross-reference results against your CMDB so non-prod and dev farms are not forgotten.
What is the recommended patch rollout?
Microsoft's mandated sequence:
- Snapshot SharePoint config DB and content DBs.
- Stop IIS on each WFE (
iisreset /stop). - Install the relevant KB (KB5002768, KB5002754, or KB5002760) via Windows Update or the manual MSI from the Microsoft Update Catalog.
- Run
PSConfig.exe -cmd upgrade -inplace b2b -wait -cmd applicationcontent -install -cmd installfeatures -forceon each WFE in sequence. - Rotate machine keys:
Update-SPMachineKey -WebApplication <URL>on every web application. This is the step organizations most often forget — without it, the patch is necessary but insufficient. - Restart IIS (
iisreset /start). - Run the Microsoft-supplied
Test-SPCVE2025-53770.ps1post-check to confirm build and key rotation.
In multi-WFE farms, use the rolling approach: drain one node, patch, re-add, then move to the next. Allow 45–90 minutes per node depending on hardware and farm complexity. The CISA window is short, but skipping the machine-key rotation will leave the farm compromised even on the latest build.
What detections does the vendor or CISA publish?
Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps now flag ToolShell-related signatures under Behavior:Win32/ToolShell.A and Backdoor:ASP/SuspSignOut.A. CISA's AA25-201A publishes a YARA rule and the following Sigma detection that defenders should import directly into their SIEM:
# Source: CISA AA25-201A SharePoint ToolShell, published 2025-07-22
title: SharePoint ToolPane Suspicious POST with Encoded Payload
status: stable
logsource:
product: iis
service: w3svc
detection:
selection:
cs-uri-stem|endswith: '/_layouts/15/ToolPane.aspx'
cs-method: 'POST'
cs-uri-query|contains:
- 'DisplayMode=Edit'
- 'a=/ToolPane.aspx'
cs-User-Agent|contains:
- 'python-requests'
- 'curl/'
- '-'
filter_size:
cs-bytes: '>10000'
condition: selection AND filter_size
fields:
- c-ip
- cs-uri-query
- cs-bytes
- sc-status
level: high
CISA also recommends scanning IIS-hosted directories for spinstall0.aspx, xxx.aspx, debug_dev.js, and info.aspx — the four most common web-shell filenames observed in ToolShell victim telemetry between July 18 and July 23, 2025.
Forensic triage during the patch window: search the IIS log directory (%SystemDrive%\inetpub\logs\LogFiles\W3SVC*\) for POST requests to /_layouts/15/ToolPane.aspx covering at least July 1, 2025 forward. Any match warrants memory capture of the SharePoint timer service and configuration database export. Compare hashes of files in %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\ against a known-good baseline; the most common ToolShell webshells write spinstall0.aspx and debug_dev.js into this directory or a sibling. Microsoft's Defender for Identity ships a saved hunting query (SharePointToolShellTriage.kql) that surfaces process-chain anomalies from the w3wp.exe SharePoint application pool.
How Safeguard Helps
Safeguard cross-references the Microsoft product manifest on each SharePoint WFE against KB5002768, KB5002754, and KB5002760 fixed-build identifiers, surfacing every farm still under patch in a single dashboard. Policy gates fail change-management promotions of SharePoint farms below the July 22 build, and a built-in compliance check verifies that the machine-key rotation timestamp on every web application is newer than the patch installation timestamp — catching the most common remediation gap. Griffin AI scores SharePoint farms by internet exposure, anonymous access settings, and outbound network connectivity to surface the highest-blast-radius servers first. VEX statements from Microsoft are auto-ingested for hardened on-prem farms with only authenticated extranet access, reducing the false-positive load on the SOC queue. The ServiceNow connector files a single CMDB-aware ticket per farm, attaches the Microsoft Test-SPCVE2025-53770.ps1 output as evidence, and closes the loop when post-patch verification passes.