Sicherheitslücken

Action Required: Microsoft SharePoint On-prem ToolShell Vulnerabilities (CVE-2025-53770 and CVE-2025-53771)

Over the weekend, more than 50 organizations have already been compromised by attackers exploiting two new CVEs in on-prem Microsoft SharePoint Servers, tracked as CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.3), dubbed ‘ToolShell’. Exploitation of these CVEs can result in unauthenticated Remote Code Execution (RCE) and pose significant risk to organizations. It’s important to immediately mitigate and patch these critical vulnerabilities since they’re already being actively exploited. Read on to understand more about the vulnerabilities, who is affected, and how to quickly remediate.

Note that this is an evolving situation, we’ll update this blog as soon as more information becomes available. July 21st, 2025 update: Patch released for Microsoft SharePoint Enterprise Server 2016 (see below).

What are CVE-2025-53770 and CVE-2025-53771?

Here’s a breakdown of each SharePoint CVE:

  • CVE-2025-53770 is a critical unauthenticated remote code execution vulnerability caused by the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server. This CVE has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • CVE-2025-53771 is a medium-severity server spoofing vulnerability due to improper limitation of a pathname to a restricted directory.

These vulnerabilities are critical because they allow an attacker to fully access SharePoint content, including file systems, configurations, and execute arbitrary code over the network, without authentication.

Microsoft has also stated that CVE-2025-53770 and CVE-2025-53771 are related to two previous SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706, which could also result in remote code execution. Microsoft released a patch for these vulnerabilities as part of the July 2025 Patch Tuesday update.

Microsoft said that ‘The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704, and the update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.

Who is affected by CVE-2025-53770 and CVE-2025-53771?

The ToolShell CVEs affect on-premises installations of Microsoft SharePoint Server, including SharePoint Server 2016, 2019, and Subscription Edition. Note that SharePoint Online in Microsoft 365 is not impacted. 

How to remediate ToolShell

As mentioned it’s important to patch or mitigate these vulnerabilities immediately:

  1. If you haven’t done so already, install July 2025 Security Updates.
  2. Patch your SharePoint servers:
  • If you have Microsoft SharePoint Server Subscription Edition: KB5002768
  • If you have Microsoft SharePoint Server 2019 Core: KB5002754
  • If you have Microsoft SharePoint Enterprise Server 2016: KB5002759 and KB5002760
  1. Rotate machine keys.
  2. If you cannot patch (for instance if you have SharePoint Enterprise Server 2016), and your SharePoint Server is exposed to the Internet, temporarily disconnect Internet access.
  3. Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution.
  4. Check for indicators of compromise (see below).

Indicators of Compromise for CVE-2025-53770

To find out if your system has been compromised, check the following:

  • Check for the presence of spinstall0.aspx: This file is a key indicator of post-exploitation activity. 
  • Look for suspicious file activity within the _layouts folders of SharePoint (e.g., Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS or Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS).
  • Check if there are any unusual file names within the SharePoint installation directories or related web application directories. 

Find and fix the security risks that pose the biggest threat to your business.

Problembehebung dreimal schneller mit Mondoo Unified Exposure Management

How Mondoo can help

Mondoo scans your Microsoft SharePoint servers for vulnerabilities and alerts if it detects CVE-2025-53770 or CVE-2025-53771. If either of these CVEs are found you can take fast action and create a remediation ticket straight from the platform.

Mondoo has detected the CVEs on Sharepoint 2019

We’re actively monitoring the situation at Mondoo and will be updating the blog accordingly. If you need any help remediating these CVEs, please do not hesitate to contact us.

About Mondoo

Mondoo is an exposure management platform that identifies, prioritizes, and remediates vulnerabilities and misconfigurations in your entire IT infrastructure and SDLC from a single interface — including on-prem, cloud, SaaS, and endpoints. Unlike siloed approaches, Mondoo enables you to quickly understand your most urgent risks and initiate fast remediation, ensuring optimized security efforts and significantly improving security posture.

Deborah Galea

Deborah ist Direktorin für Produktmarketing bei Mondoo und leitet die Bereiche Messaging und Positionierung, Produkteinführungen und Vertriebsförderung. Sie verfügt über mehr als 20 Jahre Erfahrung in der Cybersicherheitsbranche. Vor ihrer Tätigkeit bei Mondoo war Deborah Direktorin für Produktmarketing bei Orca Security und hatte verschiedene Marketingpositionen bei anderen Cybersicherheitsunternehmen inne. Sie war Mitbegründerin des E-Mail-Sicherheitsunternehmens Red Earth Software, das 2014 vom Cybersicherheitsunternehmen OPSWAT übernommen wurde.

Chris Hartmann

Christoph Hartmann, Mitbegründer und CTO von Mondoo, möchte die Welt sicherer machen. Er ist seit langem führend in den Bereichen Sicherheitstechnik und DevOps und entwickelt weit verbreitete Lösungen wie Dev-Sec.io und InSpec. Zum Spaß baut er alles, von benutzerdefinierten Betriebssystemen bis hin zu autonomen Lego Mindstorm-Robotern.

You might also like

Vergleiche
Mondoo gegen Tenable — Zehn Möglichkeiten, Tenable-Alternativen zu vergleichen
Sanierung
Wie wir unser Risiko in weniger als drei Stunden um 54% reduziert haben
Sanierung
Branchenweit erste Priorisierung von Problembehebungen unter Berücksichtigung der Auswirkungen und des Aufwands