Emergency Security Bulletin: Microsoft SharePoint Server Deserialization Remote Code Execution (ToolShell)

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Microsoft SharePoint Server Deserialization Remote Code Execution (ToolShell)

CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-53770
Exploit or POC: Yes – confirmed active exploit in the wild targeting on-premise SharePoint servers
Update:  CVE-2025-53770 – Microsoft Security Advisory

Description: CVE-2025-53770 is a critical deserialization vulnerability in on-premisesise Microsoft SharePoint Server. Attackers exploit it by sending specially crafted POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit, enabling unauthenticated remote code execution. Known as "ToolShell," the flaw has resulted in widespread compromises, affecting at least 75 servers, including government, education, and enterprise systems. Exploitation has involved planting web shells (e.g., spinstall0.aspx), extracting ASP.NET machine keys, and deploying post-exploitation tools like encoded PowerShell via w3wp.exe. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog with remediation required by July 21, 2025.

Mitigation Recommendation:

• Apply July 2025 security updates for SharePoint Server Subscription Edition and SharePoint 2019 immediately. A patch for SharePoint 2016 is pending; disconnect those systems from the internet until updates are available.
• Enable Antimalware Scan Interface (AMSI) integration in SharePoint in full mode and deploy Microsoft Defender Antivirus across all servers.
• Rotate all ASP.NET machine keys and restart IIS after patching to invalidate any stolen credentials.
• Update WAF/IDS/IPS rules to detect post attempts to /ToolPane.aspx?DisplayMode=Edit and known malicious payloads.
• Monitor for indicators of compromise: presence of spinstall0.aspx, unexpected PowerShell processes under w3wp.exe, anomalous network connections to identified IPs (107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147)
• Review CISA's guidance, including BOD 22‑01 recommendations for public-facing servers.

Note: This is a high-impact zero-day with real-world exploitation, broad compromise potential, and active adversary use. On-prem SharePoint instances represent critical assets; prompt patching, isolation, and forensic analysis are essential to prevent further intrusion and data exposure.