CVE-2025-53770 & CVE-2025-53771 (CVSS 9.8): Critical On-Prem SharePoint Vulnerabilities
Estimated reading time: 10 minutes
Key Takeaways:
- Critical vulnerabilities CVE-2025-53770 and CVE-2025-53771 affect on-premise Microsoft SharePoint servers, potentially allowing remote code execution (RCE).
- Exploitation attempts are actively underway, necessitating immediate patching and mitigation efforts.
- The vulnerabilities bypass previous patches for related “ToolShell” exploits, increasing the risk to unpatched systems.
- China-linked hacking groups are among those exploiting these vulnerabilities for cyber-espionage.
- Immediate actions include applying patches, assuming compromise, and enhancing monitoring capabilities.
Table of Contents:
- Understanding CVE-2025-53770 & CVE-2025-53771
- Timeline of Exploitation
- Technical Analysis of the Vulnerabilities
- Observed Threat Actor Activity
- Recommendations for Mitigation
- Incident Response Investigation Recommendations
- Practical Takeaways
- How PurpleOps Can Help
- FAQ
Understanding CVE-2025-53770 & CVE-2025-53771
This blog post provides an analysis of two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, affecting on-premise Microsoft SharePoint servers. These vulnerabilities could allow for remote code execution (RCE), posing a significant risk to organizations that have not yet applied the necessary patches. This analysis is based on recent reports of active exploitation attempts and aims to provide actionable insights for both technical and non-technical readers.
Two zero-day vulnerabilities, CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.3), have been identified in on-premise Microsoft SharePoint servers. If exploited, these vulnerabilities could allow an unauthorized user to execute remote code over a network, leading to potential system compromise. The affected versions include Subscription Edition (KB5002768), SharePoint 2019 (KB5002754), and SharePoint 2016 (KB5002760).
These vulnerabilities are related to the “ToolShell” vulnerabilities, CVE-2025-49706 and CVE-2025-49704, which were patched in Microsoft’s July Patch Tuesday. The newer vulnerabilities (CVE-2025-53770 and CVE-2025-53771) bypass the previous patches, enabling attackers to gain entry and perform attacks against on-premise SharePoint servers.
Timeline of Exploitation
Understanding the timeline of these vulnerabilities is critical for assessing risk and prioritizing mitigation efforts:
- May 2025: The ToolShell exploit chain, utilizing CVE-2025-49704 (deserialization RCE) and CVE-2025-49706 (auth bypass), was demonstrated at Pwn2Own Berlin by Viettel Cyber Security.
- July 9, 2025 (Patch Tuesday): Microsoft released patches for CVE-2025-49704 and CVE-2025-49706.
- July 14, 2025: CODE WHITE GmbH reproduced the ToolShell exploit chain.
- July 18, 2025: Eye Security observed active exploitation of SharePoint servers, initially attributed to the previous CVEs.
- Evening of July 18, 2025: Eye Security discovered that the attacks were leveraging a new zero-day vulnerability.
- July 20, 2025: Microsoft officially acknowledged active attacks and assigned CVE-2025-53770, adding it to CISA’s Known Exploited Vulnerabilities catalog.
- July 20-21, 2025: Microsoft released emergency patches for SharePoint Server Subscription Edition and 2019; patches for SharePoint 2016 were still under development.
- July 21, 2025: Active monitoring revealed threat actors leveraging webshells and varied attack patterns.
- July 22, 2025: Microsoft attributed the initial zero-day and related SharePoint attacks to China-linked hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. Follow-on threat actor groups have begun weaponizing the vulnerability for eCrime/financially motivated purposes.
Technical Analysis of the Vulnerabilities
While detailed technical specifics of the vulnerabilities themselves require in-depth reverse engineering, we can summarize based on available information:
- CVE-2025-53770: Likely involves an authentication bypass combined with a flaw allowing for arbitrary code execution. The authentication bypass allows attackers to reach vulnerable code without valid credentials.
- CVE-2025-53771: May involve a separate path to arbitrary code execution or privilege escalation within the SharePoint environment.
The combination of these vulnerabilities allows an attacker to bypass security measures and execute commands on the SharePoint server.
Observed Threat Actor Activity
Analysis reveals a pattern of exploitation and post-exploitation activities associated with these vulnerabilities.
China-Nexus APT Activity Targeting SAP NetWeaver
EclecticIQ analysts assess that China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE). Identified Chinese cyber-espionage units including UNC5221, UNC5174 and CL-STA-0048 based on threat actor tradecrafts patterns.
UNC5174 very likely deployed a Webshell in SAP NetWeaver to execute a Bash command via the endpoint helper.jsp, UNC5174 is seeking to establish architecture aware, persistent access through in-memory malware.
Following initial compromise via CVE-2025-31324, the Chinese-nexus threat actors conducted reconnaissance on infected SAP NetWeaver hosts by executing remote Linux commands using Webshells. In most of the incidents, threat actors performed network discovery using commands like arp -aand by parsing /etc/hosts.
Exploitation of WinRAR Zero-Day
The zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, allowed threat actors to execute arbitrary code by crafting malicious archive files. This was exploited by Russia-aligned group RomCom. The attacks used spearphishing campaigns to target financial, manufacturing, defense, and logistics companies in Europe and Canada.
Once a victim opens a seemingly benign file, WinRAR unpacks it along with all its ADSes. For example, for Eli_Rosenfeld_CV2 – Copy (10).rar, a malicious DLL is deployed into %TEMP%. Likewise, a malicious LNK file is deployed into the Windows startup directory, thereby achieving persistence via execution on user login.
Also, RomCom hijacks CLSIDs for persistence. The backdoor commonly used by the group is capable of executing commands and downloading additional modules to the victim’s machine.
Ivanti EPMM Bugs
Ivanti disclosed two vulnerabilities which a ect their on-premise Endpoint Manager Mobile product: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (an authenticated RCE vulnerability). When chained together they provide a route for an unauthenticated remote attacker to execute malicious code on affected EPMM instances.
Sitecore Zero-Day
Sitecore published a bulletin on Wednesday about CVE-2025-53690, which affects several of the company’s products. A key issue with the bug is the use of a sample machine key that was included in Sitecore deployment guides from 2017 and earlier. Many customers simply used the sample machine key and never rotated it to something new.
The hacker then tried to gain access to sensitive files and create administrator accounts.
Zoomcar API Breach
There was an unpatched API flaw that leaked 8.4 million user records: names, emails, vehicle registration numbers and profiles. While no ransomware or extortion was detected, the exposed dataset offers a tempting goldmine for identity theft, spear-phishing campaigns, and vehicle-related scams.
Recommendations for Mitigation
Given the active exploitation of these vulnerabilities, immediate action is required. Key recommendations include:
- Apply Patches Immediately: Install the security updates released by Microsoft for SharePoint Server Subscription Edition and SharePoint 2019. If patches for SharePoint 2016 are not yet available, monitor Microsoft’s Security Update Guide for release information and apply them as soon as possible.
- Assume Compromise: If your SharePoint server was internet-facing during the period these CVEs were actively exploited, assume a compromise has occurred.
- Isolate and Investigate: Isolate potentially affected SharePoint servers pending patch application and a thorough incident response investigation.
- Enable AMSI in Full Mode: Enable Antimalware Scan Interface (AMSI) in Full Mode on SharePoint servers to enhance detection capabilities.
- Rotate ASP.NET Machine Keys: Rotate ASP.NET Machine Keys after patching or enabling AMSI using PowerShell (Update-SPMachineKey) or through Central Admin. Then, restart IIS with iisreset.exe
- Restrict Access to Visual Composer paths: Restrict access to
/developmentserver/metadatauploaderto internal, authenticated IP ranges. - Enhanced Monitoring: Enhance server logging (IIS, Sysmon, Windows Event) to detect abnormal POSTs, new file writes under layouts, and suspicious script execution chains.
- Scan for .aspx webshells: Scan for .aspx webshells in layouts folder (e.g., spinstall0.aspx) and other suspicious files, focusing on recently created files.
Incident Response Investigation Recommendations
- Search for Suspicious POST Requests: Look for POST requests containing:
/\_layouts/15/ToolPane.aspx?DisplayMode=Edit - Check Referer Headers: Look for Referer header
/\_layouts/SignOut.aspxand potentially user agentFirefox/120.0or its URL-encoded form. - Rotate SharePoint ASP.NET Machine Keys: These keys were targeted by the initial threat actor to generate valid ViewState tokens.
- Scan for Webshells: Search for unauthorized
.aspxfiles (e.g.,spinstall0.aspx) in the\\layoutsfolder. - Investigate PowerShell Execution: Investigate
w3wp.exeprocesses spawning encoded PowerShell scripts. Look for process chains likew3wp.exe → cmd.exe → PowerShell
Practical Takeaways
- Technical Readers: Implement the detailed technical steps for patching, AMSI configuration, key rotation, and threat hunting described above. Use a cyber threat intelligence platform to integrate threat intelligence and detections.
- Non-Technical Readers: Ensure that your IT and security teams are aware of these vulnerabilities and are actively implementing the recommended mitigation steps. Prioritize patching and incident response activities.
How PurpleOps Can Help
PurpleOps offers a range of services to help organizations protect themselves against vulnerabilities like CVE-2025-53770 and CVE-2025-53771:
- Cyber Threat Intelligence: Proactive identification of emerging threats and vulnerabilities.
- Breach Detection: Identify suspicious .aspx files using breach detection.
- Supply Chain Risk Monitoring: Detect unusual RFC requests or new administrative accounts using supply-chain risk monitoring.
- Real-time Ransomware Intelligence: Real-time insight into ransomware attack patterns and indicators.
- Dark Web Monitoring Service: Discover .aspx webshells using underground forum intelligence and dark web monitoring service.
- Incident Response: Expert assistance in investigating and remediating potential compromises.
- Telegram Threat Monitoring: Get threat alerts from different locations using telegram threat monitoring and brand leak alerting.
- Underground Forum Intelligence: Monitor underground forums to detect planned exploits.
- Brand Leak Alerting: Prevent attacks using a live ransomware API and real-time brand leak alerting.
- Penetration Testing: Simulate real-world attacks to identify vulnerabilities in your systems.
- Red Team Operations: Advanced security assessments to test your organization’s defenses.
- Managed Detection and Response (MDR): Continuous monitoring and response to security incidents.
We can also protect you from zero-day exploits, prevent attacks to your external attack surface, and provide live ransomware API to prevent any damage
By leveraging these services, organizations can significantly reduce their risk exposure and improve their overall security posture.
For more information about how PurpleOps can help protect your organization, visit PurpleOps Platform, PurpleOps Solutions, or Cyber Threat Intelligence. Contact us today to schedule a consultation.
FAQ
Q: What SharePoint versions are affected by CVE-2025-53770 and CVE-2025-53771?
A: The affected versions include Subscription Edition (KB5002768), SharePoint 2019 (KB5002754), and SharePoint 2016 (KB5002760).
Q: What is the potential impact of these vulnerabilities?
A: If exploited, these vulnerabilities could allow an unauthorized user to execute remote code over a network, leading to potential system compromise.
Q: What immediate actions should be taken to mitigate these vulnerabilities?
A: Key recommendations include applying patches immediately, assuming compromise, isolating and investigating potentially affected servers, enabling AMSI in Full Mode, and rotating ASP.NET Machine Keys.