Update 2025/07/22: Microsoft has released a security update for Sharepoint Enterprise Server 2016. The update, with the ID KB5002760, is available in the following link.
Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.
Microsoft has also released security updates and mitigation guidance for multiple affected products. The update for Sharepoint Server 2016 has also been released.
These two vulnerabilities, CVE-2025-53770 / CVE-2025-53771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.
Vulnerability details
These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-49704 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
Patches have already been provided by Microsoft for most versions of SharePoint Server. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution.
Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin.
Coverage
As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.
ClamAV detections: Asp.Webshell.SharpyShell-10056352-3
The Splunk Threat Research Team has developed detection analytics targeting CVE-2025-53770 exploitation attempts and post-compromise activities. The security content includes rules to detect suspicious SharePoint requests to the vulnerable ToolPane endpoint and the characteristic authentication bypass patterns observed in ToolShell campaigns.
Additionally, the detection content covers post-exploitation behaviors including malicious PowerShell execution, suspicious child processes spawned by w3wp.exe (SharePoint worker processes), and SharePoint-specific indicators like the creation of spinstall0.aspx web shells. These analytics provide security teams with comprehensive visibility into both initial exploitation attempts and subsequent attacker activities, enabling faster detection and response to ToolShell compromises. The analytics can be found at https://research.splunk.com/
Related existing BP Rules:
Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).