ToolShell: Remote Code Execution in Microsoft SharePoint (CVE-2025-53770)

On July 19, 2025, a critical remote code execution (RCE) vulnerability (CVE-2025-53770, also referred to as ToolShell) was publicly disclosed, impacting on-premises Microsoft SharePoint Server installations. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely by leveraging insecure deserialization techniques. Given the platform’s widespread use and exposure to the internet, the potential for compromise is substantial and growing, especially with confirmed active exploitation in the wild. Vulnerability Overview CVE-2025-53770 targets Microsoft SharePoint via a flaw in ViewState deserialization , specifically triggered at the endpoint: /_layouts/15/ToolPane.aspx By abusing the Referer header (pointing to /_layouts/SignOut.aspx) and uploading a crafted .aspx file (e.g., spinstall0.aspx), attackers can bypass authentication and execute remote payloads. Once executed, these payloads can extract ASP.NET machine keys (ValidationKey and DecryptionKey) from the server, enabling the creation of malicious ViewState data that the server will accept as legitimate. This vulnerability falls under “OWASP A08:2021 – Software and Data Integrity Failures,” specifically due to its insecure deserialization. The attack chain may also involve two auxiliary vulnerabilities: CVE-2025-49706 and CVE-2025-49704, which exacerbate the impact. CVE-2025-53770 is classified as a critical pre-authentication remote code execution vulnerability, with an estimated CVSS score…Read More