The newly exploited SharePoint zero‑day pair—CVE‑2025‑53770 and CVE‑2025‑53771, collectively nicknamed “ToolShell”—allows attackers to plant a web shell, steal cryptographic machine‑keys, and maintain persistent remote‑code execution even after routine patching. Because on‑prem SharePoint libraries often store requirement documents, architecture diagrams, compliance workbooks, contracts, and other sensitive records, a compromised server becomes a launch‑pad for attacks across the entire software supply chain. Early threat‑intelligence signals—from Pwn2Own Berlin 2025 and CISA’s KEV alert on 20 July 2025—gave organisations advance notice to patch, rotate keys, and audit libraries before widespread exploitation.
What Happened
ToolShell Chain in Brief
· CVE‑2025‑53770: Unauthenticated deserialization of untrusted data in ToolPane.aspx enables full remote‑code execution.
· CVE‑2025‑53771: Path‑traversal variant that bypasses Microsoft’s July fixes, restoring the attack chain.
· Combined impact: Attackers drop a stealth web shell and exfiltrate ValidationKey and DecryptionKey, allowing forged ViewState payloads.
Scale of Exploitation
· Eye Security observed live attacks beginning 18 July 2025, with dozens of organisations breached.
· Victims span government, finance, healthcare, education, and critical‑energy sectors; over 8 000 on‑prem servers are estimated vulnerable.
· CISA added CVE‑2025‑53770 to the KEV catalogue on 20 July 2025 and mandated patching for U.S. federal agencies within 24 hours.
Why This Is a Software Supply Chain Issue
SharePoint’s Documentation Trove
· Organisations store requirements, architecture diagrams, vendor contracts, release notes, and compliance evidence in SharePoint.
· These records reveal network layouts, privileged contacts, and third‑party integrations that adversaries can weaponise.
Knowledge Leveraged Downstream
Incident responders observed attackers reading exposed documents to identify mailbox credentials and finance platforms, then pivoting into those systems—all enabled by the initial SharePoint breach.
Threat‑Intelligence Timeline
Date
Key Signal / Defensive Opportunity
16 May 2025
ToolShell chain demoed at Pwn2Own Berlin; SharePoint flagged as “watch‑list” asset.
9 Jul 2025
Microsoft issues initial fixes for CVE‑2025‑49704/49706; organisations patch and rotate machine keys.
18 Jul 2025
Eye Security confirms active exploitation; new IDs CVE‑2025‑53770/53771 assigned.
20 Jul 2025
CISA adds CVE‑2025‑53770 to KEV and publishes mitigation guidance.
Mitigation Checklist
· Apply Microsoft’s out‑of‑band updates (KB 5002768, KB 5002754, KB 5002760) immediately.
· Rotate machine keys right after patching to invalidate forged ViewState signatures.
· Audit SharePoint libraries modified between 17–21 July for unexpected uploads, edits, or deletions.
· Restrict external access by placing on‑prem SharePoint behind a reverse proxy or WAF.
· Monitor for key indicators: POSTs to ToolPane.aspx with Referer=/SignOut.aspx and the process chain w3wp.exe → cmd.exe → powershell.exe -EncodedCommand.
· Subscribe to multiple threat‑intelligence feeds (CISA KEV, Microsoft MSRC RSS, commercial sources) to ensure rapid response to future disclosures.
Key Take‑Aways
· SharePoint is a software supply chain nexus: its document libraries contain the blueprints and agreements that connect an organisation to its partners.
· ToolShell weaponises that nexus by giving attackers stealthy, persistent control of the server and its files.
· Threat‑intelligence shortens reaction time: tracking Pwn2Own disclosures and KEV alerts enabled faster patching, key rotation, and library audits.
References
[1] Microsoft Security Response Center. Customer guidance for SharePoint vulnerability CVE-2025-53770. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
[2] CISA. Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770). https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
[3] Zero Day Initiative. Pwn2Own Berlin 2025: Day Two Results. https://www.zerodayinitiative.com/blog/2025/5/16/pwn2own-berlin-2025-day-two-results
[4] Eye Security. SharePoint Under Siege (CVE-2025-53770). https://www.eye.security/blog/sharepoint-under-siege-cve-2025-53770
[5] Palo Alto Networks Unit 42. Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief. https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
[6] NVD. CVE-2025-53770 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-53770
[7] Trend Micro. Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 / CVE-2025-53771). https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
[8] Barron's. Why Microsoft Is Urging Security Updates for SharePoint Customers. https://www.barrons.com/articles/microsoft-sharepoint-hack-security-4fc0584a
[9] Time. How to Protect Yourself From the Global Microsoft Hack. https://time.com/7304277/microsoft-sharepoint-hack/
[10] KrebsOnSecurity. Microsoft Fix Targets Attacks on SharePoint Zero-Day. https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/
[11] CISA. Known Exploited Vulnerabilities Catalog (entry for CVE-2025-53770). https://www.cisa.gov/known-exploited-vulnerabilities-catalog
