CVE-2025-53770
描述: Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild.
Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
In July 2025, a critical remote code execution vulnerability—CVE-2025-53770—was discovered under active exploitation in the wild, targeting Microsoft SharePoint Server (on-premises editions 2016, 2019, and Subscription Edition). The vulnerability enables unauthenticated attackers to execute arbitrary code with system-level privileges, leveraging a deserialization flaw in the SharePoint web application layer.
Exploitation of CVE-2025-53770 is not isolated—it is part of a two-stage exploitation chain dubbed “ToolShell”:
Initial Access: Attackers exploit a yet-unpatched authentication bypass (likely a variant of CVE-2025-49706) to impersonate SharePoint services and inject crafted viewstate payloads.
Deserialization RCE (CVE-2025-53770): Leveraging this elevated context, attackers send a malicious __VIEWSTATE object that triggers unsafe deserialization in ToolPane.aspx, leading to arbitrary .NET code execution without authentication.
Payload Deployment: Successful exploitation results in the drop of a custom web shell (spinstall0.aspx) into the SharePoint webroot, providing persistent backdoor access.
To maintain stealth and persistence, adversaries extract the MachineKey values from the server, allowing them to sign future viewstate payloads and bypass request validation—effectively granting long-term remote execution capabilities even after server restarts.
The exploitation of CVE-2025-53770 hinges on a vulnerable SharePoint endpoint—ToolPane.aspx—which mishandles viewstate data under certain conditions. Attackers abuse this flaw by sending specially crafted __VIEWSTATE payloads to the endpoint, often disguising the request with a forged Referer header pointing to /SignOut.aspx. This combination appears to bypass internal logic that normally governs viewstate deserialization, opening the door to unauthenticated remote code execution.
Once the malicious viewstate is accepted, the underlying .NET deserialization routine is triggered. The attacker’s payload typically includes a gadget chain that executes cmd.exe or PowerShell, allowing them to gain an initial foothold on the server. A lightweight web shell—observed being named spinstall0.aspx—is dropped into the SharePoint webroot to establish persistence and enable follow-on operations.