In-the-wild Exploitation of CVE-2025-53770 and CVE-2025-53771: Technical Details and Mitigation Strategies

In-the-wild Exploitation of CVE-2025-53770 and CVE-2025-53771: Technical Details and Mitigation Strategies
微软SharePoint Server发现两个零日漏洞（CVE-2025-53770和CVE-2025-53771），被用于攻击内部部署的SharePoint服务器。攻击者利用漏洞上传恶意文件并窃取加密密钥。微软已发布补丁并建议用户立即更新以修复漏洞。 2025-7-23 19:48:47 Author: www.trustwave.com(查看原文) 阅读量:15 收藏

July 23, 2025 5 Minute Read

Two critical zero-day vulnerabilities in the Microsoft SharePoint Server environment, CVE-2025-53770 (9.8 CVSS score) and CVE-2025-53771 (6.5 CVSS score), are being actively exploited by threat actors to compromise vulnerable on-premises SharePoint servers.

The two new vulnerabilities are part of a complex attack chain dubbed “ToolShell”, which grants threat actors access to unpatched SharePoint servers’ content and the ability to execute code over the network. It’s important to note that these vulnerabilities only affect vulnerable on-premises instances of Microsoft SharePoint Server 2016, 2019, and Subscription Edition and do not affect SharePoint Online.

CVE-2025-53770 and CVE-2025-53771 are evolved iterations of two vulnerabilities, CVE-2025-49704 (a remote code execution or RCE vulnerability) and CVE-2025-49706 (a network spoofing vulnerability), which were disclosed during the Pwn2Own event held in Berlin last year. Microsoft has released patches for the original vulnerabilities in its July 2025 Security Updates, however, further exploitation of the vulnerabilities precipitated the release of more comprehensive fixes.

In its threat intelligence blog published on July 22, Microsoft shared that it has observed two China-based nation-state actors exploiting the pair of vulnerabilities to compromise internet-connected SharePoint servers, namely Linen Typhoon and Violet Typhoon. The company also observed Storm-2603, another threat actor based in China, exploiting the vulnerabilities.

Microsoft is currently investigating other threat actors abusing these bugs and believes they will continue to be integrated into more SharePoint attacks. According to the Washington Post, the vulnerabilities are being used in attacks targeting government agencies, universities, energy companies, and an Asian telecommunications company.

Technical Details

The ToolShell attack chain involves the following vulnerabilities:

CVE-2025-49704: A vulnerability in the generation of dynamic code, which may allow RCE when improperly validated.
CVE-2025-49706: An authentication-related flaw that can enable spoofing of user identity or role.
CVE-2025-53770: A deserialization vulnerability allowing unauthenticated RCE through manipulated ViewState
CVE-2025-53771: A path traversal vulnerability that permits the attacker to place files outside of restricted directories.

It should be noted that depending on a SharePoint environment’s configuration and its level of exposure, these vulnerabilities can be exploited independently or in combination with one another. These SharePoint vulnerabilities impact legacy components relying on ASP.NET ViewState for server-side state management.

Threat actors look for endpoints that process ViewState and allow unauthenticated access in vulnerable deployments. Based on reports, specific paths have been observed in application pages under /layouts/, which are accessible without user validation. Threat actors create malformed POST requests to add encoded ViewState payloads in the __VIEWSTATE parameter, which are often signed using keys retrieved from memory or misconfigured files.

During page rendering, deserialization is triggered, and .NET gadget chains built using known techniques. ViewState payloads then invoke cmd.exe or powershell.exe with encoded instructions.

When deserialization is successful, a malicious ASPX web shell (spinstall0.aspx) is uploaded to the server that is typically reserved for shared components. This web shell allows malicious actors to gain persistent access to the environment via HTTP and perform RCE by generating malicious ViewState tokens that SharePoint accepts as legitimate. It also supports credential theft by extracting the server’s MachineKey configuration, including critical cryptographic secrets such as ValidationKey and DecryptionKey.

Threat actors have also been observed modifying scheduled jobs and creating privileged service accounts in some affected environments.

Mitigation

Organizations with on-premises Microsoft Server environments should adopt the following mitigation measures to prevent operational disruptions and keep their systems secure:

Immediate Patching: Apply the security updates released by Microsoft for affected SharePoint Server versions. Prioritize patching all SharePoint environments, including test, development, and production servers. Customers using SharePoint Subscription Edition should apply the security update provided in KB5002768 to mitigate the vulnerability.
- Customers using SharePoint Server Subscription should install the latest update.
  - Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768)
- Customers using SharePoint Server 2016 or 2019 should apply the latest security updates as per Microsoft’s guidance:
  - For critical zero-day mitigation, SharePoint Server 2019 customers should apply the emergency security update KB5002754 (out-of-band patch).
  - Additionally, apply the latest cumulative security update for SharePoint Server 2019: KB5002741.
- For SharePoint Server 2016, customers should install both updates:
  - Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760)
  - Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759)
- - If AMSI cannot be enabled, key rotation must be done after installing the security update.
- Enable and Harden Antimalware Scan Interface (AMSI) and Endpoint Protection: Configure AMSI integration in SharePoint and enable “Full Mode” for optimal protection. Deploy Microsoft Defender Antivirus or equivalent antimalware solutions on all SharePoint servers.
  - AMSI integration has been enabled by default starting with the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Subscription Edition.
  - If AMSI cannot be enabled, consider disconnecting affected SharePoint servers from the Internet until the update can be applied.
- Network Segmentation and Isolation: Isolate SharePoint servers in segmented network zones with restricted access to reduce the risk of lateral movement if compromised.
  - Use firewall rules and network security groups to limit inbound and outbound connections strictly to essential services and block known malicious IP addresses associated with exploitation campaigns.

Indicators of Compromise (IoCs)

Indicator	Type	Description
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a0 3ba293ce3a8bf057a514	SHA-256	spinstall0.aspx – ASPX web shell
8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0f b153ffd091612920b0f2	SHA-256	spinstall0.aspx – ASPX web shell
27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e2 5e5cea2bf5e676e531014	SHA-256	spinstall0.aspx – ASPX web shell
b336f936be13b3d01a8544ea3906193608022b40c28 dd8f1f281e361c9b64e93	SHA-256	test.txt – ASPX web shell
4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0 f04a561337cf24aa84030	SHA-256	.NET module (initial hash observed)
b39c14becb62aeb55df7fd55c814afbb0d659687d9 47d917512fe67973100b70	SHA-256	.NET module
fa3a74a6c015c801f5341c02be2cbdfb301c6ed606 33d49fc0bc723617741af7	SHA-256	.NET module (targeting ViewState)
390665bdd93a656f48c463bb6c11a4d45b7d5444bd d1d1f7a5879b0f6f9aac7e	SHA-256	.NET module
66af332ce5f93ce21d2fe408dffd49d4ae31e364d68 02fff97d95ed593ff3082	SHA-256	.NET module
7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641c af8b7a9088e4e45bec95	SHA-256	.NET module
107.191.58[.]76	IPv4 Address	Exploitation source
104.238.159[.]149	IPv4 Address	Exploitation source
139.144.199[.]41	IPv4 Address	Exploitation source
89.46.223[.]88	IPv4 Address	Exploitation source
45.77.155[.]170	IPv4 Address	Exploitation source
95.179.158[.]42	IPv4 Address	Exploitation source
149.40.50[.]15	IPv4 Address	Exploitation source
154.223.19[.]106	IPv4 Address	Exploitation source
185.197.248[.]131	IPv4 Address	Exploitation source
149.40.50[.]15	IPv4 Address	Exploitation source
96.9.125[.]147	IPv4 Address	C2
103.186.30[.]186	IPv4 Address	C2
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\ 16\TEMPLATE\LAYOUTS\spinstall0.aspx	File Name	File created after encoded command run
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\1 5\TEMPLATE\LAYOUTS\spinstall0.aspx	File Name	File created after encoded command run
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js	File Name	File created after PowerShell command run
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0	User-Agent String	User agent string observed in HTTP requests during active exploitation phases on July 18 and 19, 2025
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/ 20100101+Firefox/120.0	URL-encoded User-Agent	URL-encoded version of the above user agent string used for IIS log searching and filtering
• /_layouts/15/ToolPane.aspx?DisplayMode=Edit • /_layouts/15/ToolPane.aspx?a=/ToolPane.aspx	HTTP Request Path	HTTP POST requests leveraged by attackers to trigger the exploit and upload malicious payloads
Referer: /_layouts/SignOut.aspx	HTTP Header	HTTP Referer header value observed in exploit attempts targeting ToolPane.aspx
GET /_layouts/15/spinstall0.aspx	HTTP Request Path	Malicious ASPX file accessed post-upload; used to extract cryptographic keys and enable remote code execution

Table 1. Verified public IOCs associated with the exploitation of Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025- 53770, aka ToolShell)

Stay Informed

文章来源: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/in-the-wild-exploitation-of-cve-2025-53770-and-cve-2025-53771-technical-details-and-mitigation-strategies/
如有侵权请联系:admin#unsafe.sh