EXPEL BLOG

Update on the SharePoint ToolShell vulnerability exploitation (CVE-2025-53770)

alt=""

Rapid response · 2 MIN READ · MATT JASTRAM, BRANDON OVERSTREET, BEN NAHORNEY AND AARON WALTON · JUL 22, 2025

TL;DR

  • Over the weekend, a zero-day vulnerability for SharePoint was targeted
  • This vulnerability (CVE-2025-53770) allowed attackers to perform remote code execution (RCE) on vulnerable servers by bypassing SSO and MFA protections
  • This vulnerability affects SharePoint 16.0.0.0 and earlier versions, and should be patched immediately

 

Last weekend, the Expel SOC saw multiple incidents associated with several SharePoint remote code execution (RCE) vulnerabilities. These vulnerabilities are critical because they allow for RCE on vulnerable servers without the need to authenticate, even allowing an attacker to bypass SSO or MFA protections. 

Attackers are targeting older on-prem Microsoft Windows Servers running SharePoint 16.0.0.0 and earlier versions. Throughout the weekend, our SOC analysts identified repeated attempts to exploit SharePoint to gain unauthenticated access to organizational systems and data. 

Despite this zero-day vulnerability, continuous SOC monitoring of cybersecurity EDR vendor tools continues to demonstrate value. Our 24×7 SOC analysts quickly spotted this specific attacker behavior thanks to these tools. This  demonstrated that while an active zero-day exploit was in play, this vulnerability still needed to follow well-known execution paths, meaning that EDR tools monitoring these paths detected and notified us of suspicious activity before things got out of hand. 

So what post-incident lessons did we learn from the weekend events?

  • Vendor EDR tools successfully detected zero-day exploitation techniques.
  • They detected and squashed the attacker’s PowerShell use, specifically commands configured to be redirected via .aspx file path. They also detected a service account spawning PowerShell from an .exe.
  • They detected when a user was impersonated. In one case, ‘SuspSignoutReq’ malware was blocked on a SharePoint server. The alert details note that: 
    • Malware was detected on an externally-facing Windows Server with SharePoint
    • This indicates an ongoing attack
    • There may have been a successful exploitation attempt 
    • An actor might be installing an implant for persistent access
  • Although vendor tools automatically remove identified threats, some infections could leave remnant files and system changes. Updating definitions and re-running scans will identify remnant artifacts and reduce risk.
  • Expel incident response and intelligence yielded hunting hints that’ll be helpful for reviewing your incidents and environments.
  • Admins can verify SharePoint server compromise detections can be verified by admins by checking for newly written aspx files to the “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\” directory. In the earliest exploitation, a file named “spinstall0.aspx” was used.
  • Access log reviews of:
    • – POST /_layouts/15/ToolPane.aspx DisplayMode=Edit&a=/ToolPane.aspx
    • – GET /_layouts/15/spinstall0.aspx
    • Consecutive web requests 

 

What proactive lessons did we learn from the vulnerable systems?

Microsoft gives the following guidance:

“Ensure the Antimalware Scan Interface is turned on and configured correctly. Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.”

Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

Expel encourages everyone to follow Microsoft’s guidance. We recommend you also complete the following resilience actions in addition to the Microsoft guidance:

  • Deploy Microsoft Defender AV on all servers
    • Note: Other vendors EDR tools could also be used
  • Disconnect any public-facing servers, until security tool enhancements are successfully completed
  • Ensure your publicly exposed systems are continually assessed for risky configurations

Does your SOC monitoring ensure your vendor alerts are identifying and alerting to attacker behaviors? Does your vulnerability management program proactively address risk? 

If you have any questions about how to do this, or if you need more information, drop us a line.  

 

Resources: 

Blog home