CVE-2025-53770: SharePoint ToolShell

Overview

In mid-July 2025, Microsoft disclosed a chained exploit targeting on-premises SharePoint Server that the security community quickly labelled ToolShell. The chain combines two distinct vulnerabilities — an authentication bypass (CVE-2025-53771) and a file-write leading to remote code execution (CVE-2025-53770) — to deliver unauthenticated, fully network-based shell access on any vulnerable SharePoint server exposed to the internet.

The attack requires no credentials, no user interaction, and no social engineering. One HTTP request to a well-known endpoint is enough to initiate the chain. Within days of public PoC release, automated scanning and botnet-driven exploitation had already hit an estimated 75–85 servers globally.

The Exploit Chain

Step 1 — Authentication Bypass (CVE-2025-53771)

The entry point is /_layouts/15/ToolPane.aspx, a SharePoint system page that normally enforces authentication. The bypass relies on a forged HTTP Referer header. When the server receives a POST request with the Referer set to /_layouts/SignOut.aspx, the authentication middleware incorrectly treats the request as originating from an already-authenticated context and skips the credential check.

POST /_layouts/15/ToolPane.aspx HTTP/1.1
Host: sharepoint.target.corp
Referer: https://sharepoint.target.corp/_layouts/SignOut.aspx
Content-Type: application/x-www-form-urlencoded

[crafted payload]

This is a logic flaw rather than a cryptographic weakness — the kind that often slips through code review because the Referer header is treated as a trusted signal rather than attacker-controlled input.

Step 2 — File Write and Key Extraction (CVE-2025-53770)

Once past authentication, the endpoint permits arbitrary file writes to the server filesystem. Attackers leverage this to:

1. Write a malicious file to a web-accessible path.
2. Read web.config and related configuration files to extract the SharePoint MachineKey — the symmetric key used to sign ViewState and other serialised objects.
3. Generate a signed, malicious serialised payload using the extracted key.
4. Submit the payload to trigger deserialisation and execute arbitrary code as the IIS application pool identity.

The MachineKey extraction step is what makes this chain so dangerous. Once an attacker has the signing key, they can craft trusted payloads that bypass all downstream validation — essentially becoming the server's own signer.

Web Shell Deployment

In observed attacks, the final stage typically drops an ASPX web shell. The most common filename pattern seen in the wild has been spinstall0.aspx, with minor variations such as spinstall.aspx and spinstall1.aspx — presumably chosen to blend in with SharePoint's own installation artefacts. From there, threat actors deploy PowerShell payloads, conduct credential harvesting, and establish persistent access.

Affected Products

• Microsoft SharePoint Server 2016 (on-premises)
• Microsoft SharePoint Server 2019 (on-premises)
• Microsoft SharePoint Server Subscription Edition (on-premises)

SharePoint Online (Microsoft 365) is not affected. This is exclusively an on-premises issue — a distinction worth highlighting given how many large enterprises and government bodies still run on-prem SharePoint as their document management backbone.

Detection

Defenders should look for the following indicators in IIS access logs and SharePoint ULS logs:

• Unexpected POST requests to /_layouts/15/ToolPane.aspx from external IP ranges.
• Referer header values pointing to /_layouts/SignOut.aspx on unauthenticated or anonymous sessions.
• New .aspx files appearing under /_layouts/15/ or web application root directories.
• Outbound connections from the SharePoint application pool identity (DefaultAppPool or equivalent) to unexpected hosts.
• Access to web.config via the SharePoint API or file system from non-admin accounts.

Remediation

Microsoft released patches on Patch Tuesday, July 2025. Apply them immediately. If patching cannot happen within your maintenance window:

• Restrict external access to /_layouts/15/ToolPane.aspx at the WAF or perimeter — block all unauthenticated requests to the /_layouts/ path from the internet.
• Enable SharePoint's built-in request filtering to reject requests with a Referer header matching SignOut.aspx when the session is not authenticated.
• Audit the server filesystem for unexpected .aspx files in system directories.
• Rotate the MachineKey values in web.config immediately if exposure is suspected.

The Broader Lesson

ToolShell illustrates a pattern that recurs across enterprise software: a trusted internal signal (Referer header) being treated as a reliable authentication indicator. Headers are attacker-controlled. Any security decision that hinges on a client-supplied header value — without cryptographic verification — is one bad request away from complete bypass.

The rapid weaponisation timeline is also noteworthy. PoC code was public within days of disclosure, and exploitation at scale followed within a week. For organisations running internet-facing SharePoint, the window between patch availability and mass exploitation was measured in days, not weeks.

References

• NVD — CVE-2025-53770
• NVD — CVE-2025-53771
• CISA Known Exploited Vulnerabilities Catalog
• GitHub — sharepoint-toolshell-cve-2025-53770 (PoC reference)
• Palo Alto Unit 42 — Threat Brief
• Akamai — Exploitation, Detection & Mitigations
• Censys Advisory — Attack Surface Analysis