Microsoft Releases Emergency Patches for SharePoint RCE Flaws Exploited in Attacks
Estimated reading time: 8 minutes
Key takeaways:
- Microsoft has released emergency security updates to address two zero-day vulnerabilities in SharePoint.
- These vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, are actively being exploited in “ToolShell” attacks.
- Organizations are advised to apply the updates immediately and rotate SharePoint machine keys.
- Log analysis and threat hunting are crucial for detecting and mitigating potential breaches.
- PurpleOps provides cybersecurity services that can help organizations address these vulnerabilities.
Table of contents:
- SharePoint RCE Flaws: Emergency Patches Released
- Background
- Technical Details of the Vulnerabilities
- Emergency Updates and Mitigation Steps
- Manually via PowerShell
- Manually via Central Admin
- Log Analysis and Threat Hunting
- Impact on Organizations
- Relevance to PurpleOps Services
- Actionable Advice
- Technical Readers
- Non-Technical Readers (Business Leaders)
- FAQ
Microsoft has issued emergency security updates to address two zero-day vulnerabilities in SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771. These flaws are actively being exploited in what is referred to as “ToolShell” attacks, impacting SharePoint services globally. This blog post provides a technical overview of the vulnerabilities, the attacks, and the necessary steps to mitigate the risks, with insights relevant to both technical cybersecurity personnel and business leaders.
SharePoint RCE Flaws: Emergency Patches Released
The need for immediate action is underscored by the active exploitation of these vulnerabilities. The vulnerabilities allow for remote code execution (RCE), meaning attackers can potentially gain control of affected SharePoint servers. Securing these servers is vital for maintaining business operations and protecting sensitive data.
Background
In May 2025, during the Pwn2Own hacking contest in Berlin, a vulnerability chain dubbed “ToolShell” was demonstrated, achieving remote code execution on Microsoft SharePoint. While initial fixes were implemented as part of the July Patch Tuesday updates, threat actors quickly discovered bypasses in the form of two new zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771. These vulnerabilities are now being actively exploited in the wild.
Over 54 organizations have been impacted by these ToolShell attacks targeting SharePoint servers. The attacks leverage the remote code execution vulnerabilities to compromise systems. Given the widespread use of SharePoint in enterprise environments, the potential impact of these vulnerabilities is significant.
Technical Details of the Vulnerabilities
CVE-2025-53770 and CVE-2025-53771 are remote code execution vulnerabilities that exist in Microsoft SharePoint Subscription Edition and SharePoint 2019. Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The specific technical details of how the bypasses work have not been publicly disclosed by Microsoft, likely to prevent further exploitation before all systems are patched.
The vulnerabilities stem from inadequate input validation, allowing attackers to inject malicious code through crafted requests. Successful exploitation requires the attacker to authenticate to SharePoint; however, once authenticated, the attacker can leverage these vulnerabilities to escalate privileges and execute code remotely.
Emergency Updates and Mitigation Steps
Microsoft has released out-of-band security updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 to address these critical vulnerabilities. The updates for SharePoint 2016 are still in progress and have not yet been released.
The available security updates are:
- KB5002754 update for Microsoft SharePoint Server 2019
- KB5002768 update for Microsoft SharePoint Subscription Edition
Microsoft has stated that the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704, and the update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706. These updates address the vulnerabilities and should be applied as soon as possible.
In addition to installing the security updates, Microsoft advises SharePoint administrators to rotate the SharePoint machine keys. This can be done using one of the following methods:
Manually via PowerShell
Use the Update-SPMachineKey cmdlet to update the machine keys.
Manually via Central Admin
- Navigate to the Central Administration site.
- Go to Monitoring -> Review job definition.
- Search for Machine Key Rotation Job and select Run Now.
- After the rotation has completed, restart IIS on all SharePoint servers using
iisreset.exe.
These steps ensure that even if an attacker had previously compromised the machine keys, they would no longer be valid after the rotation. Regularly rotating machine keys is a security best practice that helps to minimize the impact of potential key compromise.
Log Analysis and Threat Hunting
Administrators are also advised to analyze logs and file systems for the presence of malicious files or attempts at exploitation. Indicators of compromise (IOCs) include:
- Creation of
C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspxfile. - IIS logs showing a POST request to
\_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspxand a HTTP referer of\_layouts/SignOut.aspx.
Microsoft has shared the following Microsoft 365 Defender query to check if the spinstall0.aspx file was created on your server:
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
If the file exists, conduct a thorough investigation of the breached server and network to ensure the threat actors have not spread to other devices. This includes checking for lateral movement and any additional malicious activities.
Impact on Organizations
The impact of these vulnerabilities on organizations can be significant. Successful exploitation could lead to:
- Data breaches: Sensitive information stored on SharePoint servers could be accessed and exfiltrated by attackers.
- Ransomware attacks: Attackers could encrypt SharePoint data and demand a ransom for its release.
- Business disruption: Compromised SharePoint servers could be taken offline, disrupting critical business processes.
- Reputational damage: Data breaches and business disruptions can harm an organization’s reputation and erode customer trust.
Therefore, it is essential for organizations to take immediate action to mitigate the risks posed by these vulnerabilities.
Relevance to PurpleOps Services
PurpleOps provides a range of cybersecurity services that can assist organizations in addressing vulnerabilities like CVE-2025-53770 and CVE-2025-53771. These services include:
- Breach detection: Proactive identification of security breaches and vulnerabilities in real-time.
- PurpleOps Solutions: Continuous monitoring of your supply chain for potential security risks.
- PurpleOps Solutions: Alerts for unauthorized exposure of your brand assets or sensitive information.
Our cyber threat intelligence platform can provide real-time information about emerging threats and vulnerabilities, helping organizations stay ahead of potential attacks. We also offer PurpleOps Solutions to detect leaked credentials and other sensitive information that could be used to compromise your systems. For organizations seeking a more proactive approach, our PurpleOps Solutions and PurpleOps Solutions services can simulate real-world attacks to identify and address vulnerabilities before they can be exploited by malicious actors. Additionally, our PurpleOps Solutions assessments can help organizations understand and mitigate the risks associated with their third-party vendors. To specifically combat ransomware threats, we provide solutions like PurpleOps Solutions which offers advanced detection and prevention capabilities. We also offer PurpleOps Solutions to help organizations understand the threat landscape and proactively defend against potential attacks.
Furthermore, PurpleOps can assist organizations in implementing the recommended mitigation steps, such as applying security updates, rotating machine keys, and analyzing logs for suspicious activity. Our team of experienced security professionals can provide expert guidance and support to help you protect your SharePoint environment and other critical systems.
Actionable Advice
Technical Readers
- Immediately apply the Microsoft security updates KB5002754 and KB5002768 for SharePoint Server 2019 and SharePoint Subscription Edition, respectively.
- Rotate SharePoint machine keys using PowerShell or Central Admin.
- Analyze logs and file systems for IOCs, such as the creation of spinstall0.aspx file.
- Use the provided Microsoft 365 Defender query to check for the presence of malicious files.
- Implement PurpleOps Solutions to preemptively block ransomware attacks.
Non-Technical Readers (Business Leaders)
- Ensure your IT department is aware of these vulnerabilities and is taking immediate action to apply the necessary patches.
- Understand the potential business impact of a SharePoint compromise, including data breaches, ransomware attacks, and business disruption.
- Consider investing in a cyber threat intelligence platform to stay informed about emerging threats and vulnerabilities.
By following these steps, organizations can significantly reduce their risk of being compromised by the ToolShell attacks targeting SharePoint servers.
The discovery of CVE-2025-53770 and CVE-2025-53771 and their active exploitation highlight the necessity for organizations to maintain a strong security posture. Quick patching, proactive monitoring, and thorough log analysis are essential components of a successful security strategy. As demonstrated by the ToolShell attacks, threat actors are constantly seeking new ways to exploit vulnerabilities, making it critical to remain current with the latest security recommendations and to implement effective mitigation measures.
Contact PurpleOps to learn more about our cybersecurity services and how we can help you protect your organization from emerging threats.
FAQ
Q: What are CVE-2025-53770 and CVE-2025-53771?
A: They are remote code execution vulnerabilities in Microsoft SharePoint Subscription Edition and SharePoint 2019.
Q: How can I mitigate these vulnerabilities?
A: Apply the Microsoft security updates KB5002754 and KB5002768 and rotate SharePoint machine keys.
Q: What are the potential impacts of these vulnerabilities?
A: Data breaches, ransomware attacks, business disruption, and reputational damage.