CVE-2025-53770, nicknamed “ToolShell”, is a critical zero-day vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution (RCE). It’s actively being exploited in the wild till July 18th and is considered one of the most serious vulnerabilities targeting on-premise SharePoint in recent years.
Technical Details:
This flaw stems from a deserialization vulnerability in the SharePoint workflow or SOAP-based interfaces, where an attacker can send a specially crafted payload to endpoints like /ToolPane.aspx or /ToolShell.aspx and gain arbitrary code execution without authentication.
Affected Versions:
- SharePoint Server 2016 (still unpatched as of July 22)
- SharePoint Server 2019
Recommendations:
Until fully patched, Microsoft recommends:
1. Enable AMSI (Antimalware Scan Interface)
◦ SharePoint 2019/Subscription Edition support this
2. Use Microsoft Defender Antivirus
◦ Includes detections for ToolShell artifacts
3. Isolate exposed SharePoint servers
◦ Especially if they’re public-facing
4. Block suspicious HTTP POST traffic
◦ Especially with Content-Type: application/octet-stream targeting ToolPane.aspx or Wo
rkflow endpoints
5. Rotate machineKey values (ValidationKey/DecryptionKey)
◦ Even after patching, old keys may be abused
6. Hunt for IOCs:
◦ Files: spinstall0.aspx, modified web.config
◦ Processes: w3wp.exe spawning PowerShell or cmd.exe
◦ Logs: unusual POST traffic, ViewState tampering
Added ONYPHE detection
This detection for compromised instance was added on July 21st, 2025 in our engine.
Vulnerable instances detection has been added on July 23rd, 2025 in our engine.
