Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. For more details about CVE-2025-53770 and CVE-2025-53771.
These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.
CIRCL advises initiating an incident response procedure, reviewing all logs, and especially scrutinizing any potential compromise to other internal infrastructure in addition to the Microsoft SharePoint Server.
Recommendations
- Review the Microsoft Customer guidance for SharePoint vulnerability CVE-2025-53770
- Assume the system has been compromised, because large‑scale exploitation occurred before the patch was released.
- Rotate the current key materials on your exposed Microsoft SharePoint Server.
- Trigger an incident response procedure, reviewing all logs, and especially scrutinizing any potential compromise to other internal infrastructure in addition to the Microsoft SharePoint Server.
Impact
It can result in the full compromise of the Microsoft SharePoint Server.
Exploitation
Exploitation has been confirmed and has been seen worldwide, including in Luxembourg.
Detection
Monitor and search logs for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit which is the trigger for the known payload.
Review the Microsoft SharePoint Server for the presence of the spinstall0.aspx file.
A scanning approach (available as a bash script) and a set of indicators are detailed in an article from eye.security.
In addition, a set of indicators are available on the original article https://research.eye.security/sharepoint-under-siege/.
A MISP event with the indicators is also available with the following UUID: d9da16a2-8444-45cb-8bb4-d27abf23a261 (CIRCL) and 59ed4725-5f2a-4844-8dc4-e6926dbcb5ce (Microsoft) which includes detection rules for Microsoft Sentinel and Microsoft Defender XDR.
Affected Systems
- Microsoft - Microsoft SharePoint Enterprise Server 2016 - Version: N/A
- Microsoft - Microsoft SharePoint Server 2019 - Version: 16.0.0 < 16.0.10417.20037
- Microsoft - Microsoft SharePoint Server Subscription Edition - Version: 16.0.0 < 16.0.18526.20508
Credits
- Thanks to https://research.eye.security for the discovery.
References
- Original vulnerability - CVE-2025-49706
- CVE-2025-53770 (GCVE-0-2025-53770) - Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
- SharePoint 0-day uncovered (CVE-2025-53770)
- Scanning - Nmap script to detect a Microsoft SharePoint instance version
- Disrupting active exploitation of on-premises SharePoint vulnerabilities
Timeline
- 2025-07-20 06:03 - Customer guidance for SharePoint vulnerability CVE-2025-53770 MSRC Blog Microsoft Security Response Center
- 2025-07-18 18:00 - Initial discover of the ASPX payload by https://research.eye.security.
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.3 - TLP:CLEAR - References updated
- Version 1.2 - TLP:CLEAR - Clarification for key materials and links fixed - 22nd July 2025
- Version 1.1 - TLP:CLEAR - Second version including updates and new scanning script - 21st July 2025
- Version 1.0 - TLP:CLEAR - First version - 20th July 2025