National Cyber Warfare Foundation (NCWF)

CVE-2025-53770: Critical SharePoint Zero-Day Under Active Exploitation
0 user ratings		2025-07-30 16:21:06
milo
Red Team (CNA)

Welcome back, rookie hackers! CVE-2025-53770 is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 that affects on-premises Microsoft SharePoint servers. This vulnerability has been actively exploited in the wild as a zero-day by unknown threat actors and is part of the notorious “ToolShell” exploit chain that enables unauthenticated attackers to […]


The post CVE-2025-53770: Critical SharePoint Zero-Day Under Active Exploitation first appeared on Hackers Arise.



Welcome back, rookie hackers!





CVE-2025-53770 is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 that affects on-premises Microsoft SharePoint servers. This vulnerability has been actively exploited in the wild as a zero-day by unknown threat actors and is part of the notorious “ToolShell” exploit chain that enables unauthenticated attackers to achieve full system compromise.





Technical Overview





CVE-2025-53770 is caused by unsafe deserialization of untrusted data in on-premises SharePoint Servers, forming the execution stage of the “ToolShell” exploit chain. This vulnerability represents a bypass of the original CVE-2025-49704, which Microsoft had previously patched in July 2025.





Microsoft SharePoint, heavily built on the .NET framework, traditionally uses various serialization methods, including XML serialization and the BinaryFormatter class. While newer .NET versions and development practices encourage safer serialization patterns, legacy SharePoint components continue to rely on older mechanisms. These older deserialization implementations do not incorporate comprehensive data validation or integrity checks. Consequently, they are vulnerable to manipulation, particularly when attacker-controlled data is accepted in HTTP GET or POST requests.





The risk multiplies because deserialization processes operate with the privileges of the hosting application, often the web server account with wide access to system resources. Exploiting deserialization weaknesses in SharePoint has profound consequences: granting remote code execution (RCE) capabilities to outsiders with no or minimal authentication, enabling data breaches, lateral movement within corporate networks, and deployment of ransomware or backdoors.





The vulnerability affects the following SharePoint versions:






  • SharePoint Server Subscription Edition




  • SharePoint Server 2019




  • SharePoint Server 2016




  • SharePoint Server 2010 and 2013





Important Note: SharePoint Online in Microsoft 365 is NOT impacted by this vulnerability. However, self-managed SharePoint instances running in cloud environments (Azure, AWS, GCP) remain vulnerable.





The ToolShell Exploit Chain





May 2025: Security researchers at Pwn2Own Berlin first demonstrated the original ToolShell exploit combining CVE-2025-49704 and CVE-2025-49706.





July 9, 2025: Microsoft released patches for the original vulnerabilities during Patch Tuesday.





July 18-19, 2025: Eye Security identified active exploitation of SharePoint servers in the wild using bypasses for the original ToolShell vulnerabilities, marking the first known in-the-wild abuse of the exploit chain.





July 20, 2025: CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, and Microsoft acknowledged the attacks.





How the Exploit Works





Stage 1: Authentication Bypass (CVE-2025-53771) – Header Spoofing Attack





The attack begins with exploiting a header spoofing vulnerability in SharePoint’s request handling mechanism. SharePoint uses the Referer header to validate certain administrative requests, but this validation can be bypassed through careful manipulation.





Attack Flow:






  1. Target Identification: The attacker identifies an exposed SharePoint server and locates the vulnerable endpoint /_layouts/15/ToolPane.aspx




  2. Request Crafting: The attacker constructs a malicious POST request with the following characteristics:

    • URL: https://[target]/_layouts/15/ToolPane.aspx?DisplayMode=Edit




    • Method: POST




    • Critical Header: Referer: /_layouts/SignOut.aspx




    • Content-Type: application/x-www-form-urlencoded






  3. Authentication Bypass Mechanism: SharePoint’s authentication logic incorrectly trusts the crafted Referer header, interpreting it as a legitimate internal workflow transition. The server assumes the request originates from an authenticated session transitioning from the sign-out page to the tool pane.




  4. Access Granted: The server grants access to the ToolPane.aspx endpoint without requiring valid authentication credentials, effectively bypassing the entire authentication mechanism.









Why This Works: SharePoint’s legacy code contains logic that treats certain internal page transitions as inherently trusted. The Referer header spoofing exploits this flawed assumption, making the server believe the request is part of a legitimate administrative workflow.





Stage 2: Code Execution Setup (CVE-2025-53770) – Unsafe Deserialization





With authenticated access to the ToolPane.aspx endpoint, the attacker exploits an unsafe deserialization vulnerability in SharePoint’s data processing.





Attack Flow:






  1. Payload Construction: The attacker crafts a malicious serialized object containing executable code. This payload is typically a .NET serialized object designed to execute system commands when deserialized.




  2. Request Submission: The malicious payload is submitted in the POST body to the authenticated ToolPane.aspx endpoint. The payload structure includes: POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit Referer: /_layouts/SignOut.aspx Content-Type: application/x-www-form-urlencoded [Serialized malicious payload in POST body]




  3. Unsafe Deserialization: SharePoint’s server-side code receives the POST data and automatically deserializes the payload without proper validation or sanitization. The .NET deserialization process triggers the execution of embedded malicious code.




  4. Web Shell Deployment: The executed code performs the following actions:

    • Creates a malicious ASPX web shell file (commonly named spinstall0.aspx)




    • Writes the web shell to the SharePoint layouts directory: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\




    • Sets appropriate permissions to ensure the web shell is accessible via HTTP requests







The deployed web shell (spinstall0.aspx) is a sophisticated backdoor that provides:






  • Command execution capabilities




  • File system access




  • Network connectivity for data exfiltration




  • Stealth features to avoid detection





Stage 3: Cryptographic Key Extraction





The web shell is used to extract critical cryptographic material from the SharePoint server’s configuration, specifically targeting the ASP.NET machineKey settings.





Attack Flow:






  1. Web Shell Access: The attacker accesses the deployed web shell via HTTP: GET https://[target]/_layouts/15/spinstall0.aspx




  2. Configuration File Access: Through the web shell, the attacker navigates to and reads SharePoint’s web.config files, specifically targeting:

    • Main application web.config




    • Central Administration web.config




    • Service application web.configs






  3. Key Extraction Process: The web shell extracts the following critical values from the configuration section:

    • ValidationKey: A cryptographic key used to validate ViewState and other ASP.NET data




    • DecryptionKey: Used for encrypting and decrypting ViewState and session data




    • Validation Algorithm: The hashing algorithm used (typically HMACSHA256)




    • Decryption Algorithm: The encryption algorithm used (typically AES)











Stage 4: Weaponized Persistence – ViewState Exploitation





Using tools like ysoserial, the attacker crafts malicious __VIEWSTATE payloads signed with the stolen keys. Because SharePoint trusts the signature, it deserializes and executes the embedded payloads, enabling unauthenticated remote code execution.





Conclusion





SharePoint deserialization vulnerabilities demonstrate the significant dangers of unsafe deserialization in complex, legacy enterprise applications. Attackers exploit these flaws to bypass authentication, execute arbitrary code, and maintain persistent access, with devastating impacts including data theft and ransomware deployments.





For those interested in improving their cybersecurity skills, especially in understanding and defending against complex vulnerabilities like insecure deserialization, Hackers-Arise offers expert-led training programs. Check it out!

The post CVE-2025-53770: Critical SharePoint Zero-Day Under Active Exploitation first appeared on Hackers Arise.



Source: HackersArise
Source Link: https://hackers-arise.com/cve-2025-53770-critical-sharepoint-zero-day-under-active-exploitation/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.