Blog home
Vulnerabilities

Action Required: Microsoft SharePoint On-prem ToolShell Vulnerabilities (CVE-2025-53770 and CVE-2025-53771)

Deborah Galea
Christoph Hartmann
July 21, 2025
3 min read

Over the weekend, more than 50 organizations have already been compromised by attackers exploiting two new CVEs in on-prem Microsoft SharePoint Servers, tracked as CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.3), dubbed ‘ToolShell’. Exploitation of these CVEs can result in unauthenticated Remote Code Execution (RCE) and pose significant risk to organizations. It’s important to immediately mitigate and patch these critical vulnerabilities since they’re already being actively exploited. Read on to understand more about the vulnerabilities, who is affected, and how to quickly remediate.

Note that this is an evolving situation, we’ll update this blog as soon as more information becomes available.

What are CVE-2025-53770 and CVE-2025-53771?

Here’s a breakdown of each SharePoint CVE:

  • CVE-2025-53770 is a critical unauthenticated remote code execution vulnerability caused by the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server. This CVE has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • CVE-2025-53771 is a medium-severity server spoofing vulnerability due to improper limitation of a pathname to a restricted directory.

These vulnerabilities are critical because they allow an attacker to fully access SharePoint content, including file systems, configurations, and execute arbitrary code over the network, without authentication.

Microsoft has also stated that CVE-2025-53770 and CVE-2025-53771 are related to two previous SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706, which could also result in remote code execution. Microsoft released a patch for these vulnerabilities as part of the July 2025 Patch Tuesday update.

Microsoft said that ‘The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704, and the update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.

Who is affected by CVE-2025-53770 and CVE-2025-53771?

The ToolShell CVEs affect on-premises installations of Microsoft SharePoint Server, including SharePoint Server 2016, 2019, and Subscription Edition. Note that SharePoint Online in Microsoft 365 is not impacted. 

How to remediate ToolShell

As mentioned it’s important to patch or mitigate these vulnerabilities immediately:

  1. If you haven’t done so already, install July 2025 Security Updates.
  2. Patch your SharePoint servers:
  • If you have Microsoft SharePoint Server Subscription Edition: KB5002768
  • If you have Microsoft SharePoint Server 2019 Core: KB5002754
  • If you have Microsoft SharePoint Enterprise Server 2016: (no patch released yet)
  1. Rotate machine keys.
  2. If you cannot patch (for instance if you have SharePoint Enterprise Server 2016), and your SharePoint Server is exposed to the Internet, temporarily disconnect Internet access.
  3. Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution.
  4. Check for indicators of compromise (see below).

Indicators of Compromise for CVE-2025-53770

To find out if your system has been compromised, check the following:

  • Check for the presence of spinstall0.aspx: This file is a key indicator of post-exploitation activity. 
  • Look for suspicious file activity within the _layouts folders of SharePoint (e.g., Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS or Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS).
  • Check if there are any unusual file names within the SharePoint installation directories or related web application directories. 

Find and fix the security risks that pose the biggest threat to your business.

Get started

Remediate 3x faster with Mondoo Unified Exposure Management

Schedule a demo

We’re actively monitoring the situation at Mondoo and will be updating the blog accordingly. If you need any help remediating these CVEs, please do not hesitate to contact us.

Deborah Galea

Deborah is Director of Product Marketing at Mondoo and leads messaging and positioning, product launches, and sales enablement. She has 20+ years of experience in the cybersecurity industry. Prior to Mondoo, Deborah was Director of Product Marketing at Orca Security and held various marketing positions at other cybersecurity companies. She co-founded email security company Red Earth Software, which was acquired by cybersecurity firm OPSWAT in 2014.

Christoph Hartmann

Christoph Hartmann, co-founder and CTO at Mondoo, wants to make the world more secure. He’s long been a leader in security engineering and DevOps, creating widely adopted solutions like Dev-Sec.io and InSpec. For fun, he builds everything from custom operating systems to autonomous Lego Mindstorm robots.

You might also like

Vulnerabilities
Sudo Vulnerability CVE-2025-32463: A Case of High Severity Versus Low Risk
Chip Johnson
Deborah Galea
July 18, 2025
Vulnerabilities
Actively Exploited Chromium Zero-Day: CVE-2025-6554 Affects Chrome, Edge, and Opera
Salim Afiune Maya
Deborah Galea
July 9, 2025
Releases
Mondoo Release Highlights June 2025
Tim Smith
Deborah Galea
July 2, 2025

Stay informed with our news and new articles

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.