Back to blog

Follow and Subscribe

ToolShell Remote Code Execution in Microsoft SharePoint: CVE-2025-53770 & CVE-2025-53771

Simran Khalsa

Staff Security Researcher

Matthew Mathur

Senior Security Researcher, Fastly

Fastly Security Research Team

Fastly Security Research Team, Fastly

  • What it is: A critical unauthenticated remote code execution (RCE) vulnerability in on‑premises Microsoft SharePoint Server (2016, 2019, and Subscription Edition), caused by unsafe deserialization of untrusted data in the ToolPane.aspx component.

  • Why it matters: Attackers can bypass authentication, execute code, deploy web shells, harvest machine keys, and maintain persistent access.

  • Exploit status: We have observed exploitation attempts in the wild since July 17, targeting organizations across sectors including High Tech, Healthcare, Transportation, Finance, Digital Media, Retail, Real Estate, E-Commerce, Education, and others.

  • Scope: On‑premises SharePoint only; SharePoint Online (Microsoft 365) unaffected.

Fastly Next-Gen WAF (NGWAF) customers can protect themselves from this vulnerability by enabling the templated rule CVE-2025-53770.

Timeline of Discovery & Response

Date

Event

May 2025

CVE‑2025‑49704 + CVE‑2025‑49706 (“ToolShell” first chain) demonstrated at Pwn2Own Berlin.

July 8

Microsoft patches CVE‑2025‑49704/49706 in Patch Tuesday.

July 17

Detection of in the wild exploitation attempts

July 19 - 20

Microsoft assigns CVE‑2025‑53770 (RCE) & CVE‑2025‑53771 (spoofing), issues emergency advisory & guidance.

July 20 - 21

Patches released for SharePoint 2019 & Subscription Edition; 2016 patch released promptly after.

July 20 - 22

CISA adds CVE‑2025‑53770 to Known Exploited Vulnerabilities list and releases mitigation guidance

Observed exploit attempts over time

Image 1: Observed exploit attempts over time

How the Exploit Works

  1. Authentication bypass via a crafted POST to /layouts/15/ToolPane.aspx?DisplayMode=Edit with a spoofed Referer header (/_layouts/SignOut.aspx) — CVE‑2025‑53771.

  2. Unsafe deserialization payload is accepted and executed at server side — CVE‑2025‑53770.

  3. Full RCE achieved: attackers can upload web shells (e.g., spinstall0.aspx), steal ASP.NET machineKey (ValidationKey, DecryptionKey), forge tokens/ViewState, and maintain persistent access.

Actionable recommendations 

Fastly recommends following Microsoft’s official guidance on mitigating this vulnerability and applying patches as soon as possible. This vulnerability has undergone active exploitation, so taking proactive steps such as rotating machine keys and performing active threat hunts for indicators of compromise (1, 2, 3) is also recommended. Specifically, we recommend:

1. Apply patches immediately

2. Rotate SharePoint Server ASP.NET machine keys and restart IIS on all SharePoint servers.

3. Conduct forensics/threat hunts for POSTs to /ToolPane.aspx?..., spinstall*.aspx, and IOCs reported across major vendors (1, 2, 3). 

4. Update intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior.

For Fastly NGWAF customers

If you cannot patch your instances of Microsoft SharePoint, need time to apply the patch, or are looking for additional protections for this vulnerability, you can enable the templated rule for CVE-2025-53770. If you need additional help applying a virtual patch, please contact our security support team for assistance.

Conclusion

CVE‑2025‑53770 & CVE-2025-53771 (“ToolShell”) allows for unauthenticated total system takeover and persistence via stolen cryptography. If your organization runs on‑premises SharePoint exposed to the internet, assume compromise, act now: patch, rotate, hunt, and defend.

References