Global Exploitation of 9.8-Severity SharePoint CVE-2025-53770 Lets Hackers Steal Credentials and Tokens; Patch Now and Rotate Keys

A high-severity flaw in on-premises SharePoint Server is being actively exploited around the world, enabling attackers to steal credentials and gain privileged access. The severity rating of the vulnerability stands at 9.8 out of 10, and it permits unauthenticated remote access to vulnerable SharePoint deployments exposed to the internet. While cloud offerings such as SharePoint Online and Microsoft 365 are not affected, on-premises installations present a critical risk for organizations that rely on internal SharePoint deployments. Researchers and authorities now emphasize that any organization running SharePoint on its own infrastructure should assume compromise is possible and act with urgency to protect and recover.

Table of Contents

What the CVE-2025-53770 vulnerability means for SharePoint on-premises

The vulnerability, identified as CVE-2025-53770, represents a class of severe flaws that enable remote access to SharePoint Servers without requiring any form of authentication. This is particularly dangerous for in-house deployments where security controls may be distributed across corporate networks and where sensitive data, access tokens, and system credentials reside in close proximity to SharePoint hosts. The vulnerability’s status as a zero-day when first disclosed heightened concern among defenders, because threat actors could begin operations before a formal patch was available or widely deployed.

Microsoft confirmed the exposed risk in the days following the initial disclosure, clarifying that cloud-hosted SharePoint Online and broader Microsoft 365 environments are not affected by this flaw. The critical nature of CVE-2025-53770 arises from its potential to enable attackers to access the server and, from there, exfiltrate authentication tokens and other sensitive data that facilitate further exploitation and lateral movement within compromised networks. As teams and enterprises dependent on SharePoint move critical documents, workflows, and collaboration tools through these servers, the ability for an attacker to obtain credentials and move laterally creates a pathway to broader data exposure and possible disruption of business operations.

In parallel with CVE-2025-53770, Microsoft issued an emergency update addressing a related vulnerability tracked as CVE-2025-53771. This second CVE targets SharePoint Subscription Edition and SharePoint 2019, and it is designed to shore up protections against an adjacent attack surface that attackers could leverage in tandem with CVE-2025-53770. The urgency around applying these updates was underscored by the fact that some older on-premises versions, such as SharePoint 2016, were still awaiting patches at the time reports were published. The combined patching strategy highlights a broader pattern in which attackers chain multiple vulnerabilities to achieve robust persistence and deeper access within targeted networks.

Beyond these primary flaws, researchers noted that the exploitation chain observed in the wild bears similarities to workflows demonstrated at security competitions earlier in the year. In those demonstrations, attackers leveraged a pair of vulnerabilities—CVE-2025-49704 and CVE-2025-49706—to iteratively escalate access and expand their foothold. Microsoft subsequently released patches for those vulnerabilities in a prior monthly update cycle, and the latest wave of fixes adds layers of defense that tighten protections around those same underlying parsing and deserialization mechanisms. In practical terms, organizations should view these patches as part of a broader hardening effort rather than a one-off remedy. Even after applying updates, the possibility of residual access and credential exposure means careful verification and follow-on hardening are essential.

Behind the exploit: how ToolShell enables remote code execution (high-level)

Researchers and security firms describe the active threat as not being a conventional webshell in the classic sense. The backdoor observed in multiple compromised SharePoint deployments is a webshell-based mechanism that exposes a different paradigm for post-exploitation control. The attackers leveraged a chain that involves obtaining sensitive cryptographic material from the SharePoint server environment and using that data to sign or forge legitimate-looking requests. In practical terms, this translates into a remote code execution path that operates under the umbrella of trusted input, enabling the attacker to run commands and access protected resources without needing valid credentials.

The central idea behind the chain is to exploit the server’s data translation and reconstruction mechanisms—specifically, how complex data structures and object states are serialized, stored, transmitted, and later reconstituted by SharePoint and ASP.NET. The risk arises when an attacker can influence or steal the memory-resident cryptographic keys used to sign serialized payloads, effectively rendering forged data as trusted. Once the attacker possesses the private Signing and Validation keys, they can craft payloads that the server accepts as authentic and then execute arbitrary code within the context of the application.

A critical distinction in this attack surface is the reliance on serialization-based weaknesses rather than purely input-based injection. In this class of vulnerability, the attacker targets the serialization pathway, manipulating how objects are turned into a portable representation and then reassembled by the server. When the server signs or validates serialized payloads using keys stored in memory or in the machine’s configuration, a leak or exposure of those keys enables attackers to generate legitimate-looking payloads that trigger remote code execution. The result is a powerful form of persistence and control that persists even after other protective controls have been applied, underscoring why simple patching is insufficient on its own.

For defenders, this underscores two essential concepts: first, that modern web applications can be vulnerable even when they do not directly accept untrusted input, because the input can be embedded within serialized structures that the application handles in trusted contexts; second, that cryptographic material located in server memory or configuration files must be treated as highly sensitive and protected with strict access controls, monitoring, and key management practices.

In this landscape, defenders should not expect a patch alone to deliver complete relief. While security updates are vital, attackers may persist by exploiting residual keys or newly exposed tokens that allow continued access. The security implication is clear: recovery and hardening require a multi-pronged approach that includes patching, key rotation, and a revalidation of the server’s cryptographic material, alongside robust monitoring for anomalous token use and unusual serialization activity.

Global impact: observed attacks, waves, and indicators

The geographic footprint of the attacks has been broad, with researchers identifying dozens of compromised systems across multiple regions and networks worldwide. The first notable wave of exploitation occurred on July 18, around 18:00 UTC, followed by a second wave on July 19, around 07:30 UTC. The systems affected in these waves appeared to be SharePoint Server deployments that were reachable from the public internet or inadequately protected by perimeters that could prevent unexpected inbound access. The attackers leveraged the vulnerability to access SharePoint’s internal surfaces, after which a webshell-based backdoor—codenamed ToolShell by researchers—was deployed to facilitate ongoing access and credential exfiltration.

Upon establishing footholds, the backdoor was able to interact with the most sensitive components of a SharePoint Server installation. Researchers described the backdoor as particularly effective at extracting authentication tokens from the server in ways that allowed the attackers to extend their reach further into the organization. The objective was not merely to gain initial access but to stage a broader campaign in which sensitive network resources could be accessed, credentials could be stolen, and lateral movement could be sustained over time. The implication for defenders is that token theft and token-based access remain critical threats in the wake of compromised SharePoint environments, underscoring the need for continuous monitoring of authentication artifacts and token lifecycles.

Security teams and researchers highlighted several technical indicators that organizations can use to assess whether their systems have been targeted. These indicators center on unusual serialization activity, anomalous access patterns to machine keys and key material, and evidence of backdoor tooling interacting with SharePoint’s internal configuration. The reporting also emphasizes that once attackers have obtained token-signing keys or equivalent cryptographic material, they can craft legitimate-looking requests that bypass many conventional checks, enabling rapid expansion of the attacker’s reach.

In parallel with technical indicators, federal and national computer security agencies acknowledged the ongoing situation and issued advisories meant to guide organizations in defense and remediation. Agencies emphasized the need for prompt patching, thorough validation of affected systems, and robust hardening measures to reduce the likelihood of re-compromise. DHS and other national cyber authorities have underscored the importance of adopting a defense-in-depth posture that integrates patch management, key rotation, memory protection for cryptographic material, and monitoring for suspicious behavior across SharePoint environments. The combined effect of these communications is to push organizations toward a more proactive and comprehensive security approach that prioritizes both immediate remediation and long-term resilience.

Patch response and immediate mitigation steps

Microsoft’s emergency updates for CVE-2025-53770 and CVE-2025-53771 represent a critical first line of defense, but patching is only the starting point of a wider recovery and hardening process. For organizations running SharePoint on-premises, the immediate priority is to apply the available patches to affected versions, ensuring that vulnerable code paths are disabled in production environments. However, the broader security picture demands that organizations treat patching as part of a larger lifecycle management approach that includes secure key management, credential protection, and system hardening.

Beyond applying patches, responders emphasize the necessity of rotating SharePoint ASP.NET machine keys and restarting the IIS web server that runs SharePoint. This step is essential because attackers can leverage leaked or memory-resident keys to forge tokens or signatures that enable further unauthorized access. Reissuing and revoking cryptographic material helps to invalidate any previously forged tokens and reduces the risk of immediate reuse by attackers who have already gained footholds in the network.

The recommended approach to mitigation combines patch deployment with key management practices and systemic hardening. Deployment considerations include ensuring that all affected SharePoint versions are brought into compliance with the latest security patches, validating that no residual vulnerable components remain, and verifying that no unpatched versions are inadvertently kept within the environment. Key management best practices involve rotating machine keys, updating cryptographic material in a controlled manner, and instituting vault-based storage and access controls for keys so that only authorized services can access them. Restart procedures for IIS should be performed carefully to prevent service disruption while ensuring that all services reinitialize with the latest keys and patches.

Security teams are also advised to implement comprehensive monitoring for indicators of compromise. This includes detecting unusual token usage, unusual serialization activity, and any anomalies in the way SharePoint processes state data. Network-based controls, such as tightening firewall rules and reducing exposure of on-premises SharePoint endpoints to the internet, can further limit attack surface. In addition, organizations should consider adopting a layered defense strategy, combining endpoint detection, network protection, identity governance, and application security controls to reduce the risk of future intrusions.

Finally, defenders should be prepared for a multi-stage recovery that extends beyond patching. Even after patches are in place and keys rotated, attackers may retain a foothold through lingering access or misconfigured services. A holistic recovery plan should include asset discovery, credential rotation for privileged accounts, re-segmentation of networks to minimize lateral movement, and rigorous validation of system integrity. The objective is to restore secure operations while eliminating attacker persistence, rather than simply restoring availability.

The technical core: serialization, ViewState, and cryptographic keys (high-level)

The attack surface centers on how SharePoint and ASP.NET serialize and deserialize complex data structures. Serialization is the process of converting an in-memory object or set of objects into a storable or transmittable form, which later can be reconstructed back into objects with the same state. If a server deserializes data from untrusted or manipulated sources without proper safeguards, it can inadvertently execute code embedded within those serialized payloads. The risk is amplified when cryptographic keys that sign or validate serialized data are exposed or leaked, because forged payloads can appear legitimate to the application.

A key element in the observed chain is the __VIEWSTATE mechanism, which tracks the state of an ASP.NET page across postbacks. The VIEWSTATE payloads are signed or validated using a machine key—a cryptographic key stored in the server’s configuration or memory—that ensures the integrity and authenticity of the serialized state data. If an attacker can read the machine key or otherwise manipulate the signing process, they can forge signed payloads that the application accepts as legitimate. In practice, this means an attacker could craft inputs that cause the application to deserialize arbitrary objects and execute commands in the server context, effectively achieving remote code execution with no legitimate credentials.

Historically, a vulnerability in SharePoint’s parsing and deserialization flow had allowed attackers to inject objects into pages by abusing the signing and validation behavior of the machine key. Those older exploits were constrained by the need to obtain a valid signature, which required access to the server’s private signing material. The modern chain observed in these incidents advances the concept by enabling attackers to extract the ValidationKey directly—whether from memory or from configuration—and then generate fully valid, signed __VIEWSTATE payloads without prior access to credentials. This shift significantly expands the attacker’s ability to operate covertly and with persistence.

To illustrate the high-level concept without operational detail, researchers describe a workflow in which an attacker leverages public tools designed to work with SharePoint’s serialization framework to produce malicious payloads that the server will accept as legitimate. The payloads are designed to trigger remote code execution or to cause the server to perform actions under the attacker’s control. Importantly, this is not about exploiting a traditional command-and-control channel; rather, it is about exploiting trust placed in serialized data as part of the web application’s normal processing. This nuance is central to understanding why patching the vulnerability path alone does not guarantee complete removal of attacker access.

From a defensive perspective, the lesson is to treat cryptographic material with the same level of sensitivity as any other highly privileged credential. Memory-resident keys must be protected with strict access controls, minimized exposure, and robust monitoring. Key management practices—such as rotating keys on a regular schedule, removing stale keys, and employing secure storage—become essential components of a resilient defense in depth.

Recovery and long-term security posture

Recovery from such breaches requires more than applying a patch and restarting a service. Organizations must adopt a comprehensive approach that addresses immediate remediation needs and builds a resilient security posture for the future. The following elements are central to an effective recovery strategy:

Patch deployment: Ensure that all affected SharePoint on-premises versions receive the latest security updates (CVE-2025-53770 and CVE-2025-53771, as applicable). Validate deployment success across the estate and confirm that no unpatched instances remain accessible from vulnerable surfaces.
Key rotation and re-keys: Rotate ASP.NET machine keys and other cryptographic material that could have been compromised or exposed during the breach. Implement a careful strategy for updating these keys without disrupting service, and verify that new keys are properly in use by all SharePoint services and related components.
IIS restart and service validation: Restart the Internet Information Services (IIS) web server after key rotation to ensure that all processes reinitialize under fresh cryptographic material. Validate that affected applications return to healthy operation and that authentication and authorization flows are functioning as intended.
Credential hygiene: Review and rotate credentials used by SharePoint administrators and other privileged accounts. Enforce strong, unique credentials and implement multi-factor authentication where possible to reduce risk of repeat compromise through stolen tokens or credentials.
Token lifecycle management: Audit and validate how tokens and authentication artifacts are issued, stored, and renewed within the affected environment. Implement monitoring to detect unusual token creation or usage patterns that could indicate ongoing attacker activity.
Privilege and access control: Enforce least-privilege access for SharePoint components and any services that operate with elevated rights. Use segmentation and micro-segmentation to limit exposure of SharePoint hosts to other parts of the network.
Network hardening: Consider tightening the exposure of on-premises SharePoint endpoints to the internet. Where feasible, migrate to more restrictive access models, integrate VPN-based access with strict authentication controls, and employ web application firewalls to filter suspicious requests.
Detection and monitoring: Deploy or strengthen security monitoring that looks for indicators of compromise related to serialization activity, unusual access to machine keys, and webshell-like behaviors. Establish a baseline for normal SharePoint activity to enable rapid detection of deviations.
Forensic readiness: Preserve system and security logs for a sufficient retention window to support any subsequent investigations. Collect telemetry from SharePoint servers, identity providers, and endpoints to inform root-cause analysis and remediation effectiveness.
Organizational resilience: Develop incident response playbooks tailored to SharePoint on-premises environments, including clear roles and responsibilities, escalation paths, and communication plans. Exercise these playbooks regularly to ensure readiness.

Lessons from history: comparing to prior SharePoint vulnerabilities and zero-day trends

The current wave of exploitation around CVE-2025-53770 shares thematic resonance with a notable vulnerability that surfaced in 2021, where parsing and deserialization logic in SharePoint allowed attackers to inject malicious objects into pages via the ViewState mechanism. While that earlier flaw required certain conditions, the present chain expands on that foundation by enabling attackers to obtain cryptographic material directly and to craft fully signed payloads that the server accepts without credential input. This evolution underscores a broader shift in zero-day exploit behavior, where attackers increasingly focus on cryptographic material and serialization pathways as a means to achieve rapid, stealthy, and scalable access.

A key takeaway for defenders is that patches must be complemented by operational and architectural changes that reduce exposure and strengthen the cryptographic stack. In the past, teams could rely on updates alone to restore security; today, attackers increasingly target the keystone materials and processing workflows that underpin trusted data handling. Therefore, a mature response embraces key management modernization, robust identity governance, and comprehensive application-layer protections that can detect and disrupt suspicious serialization and token-related activity.

Organizations should also consider the broader implications for governance and risk management. When critical collaboration platforms like SharePoint are exposed to the internet, they become high-value targets for a wide range of attackers. Regulatory requirements and security best practices increasingly demand stronger access controls, comprehensive monitoring, and rapid incident response capabilities for such environments. The incident demonstrates the importance of ongoing risk assessment, continuous improvement of security controls, and a proactive stance toward vulnerability management in enterprise IT estates.

Immediate steps for enterprises: a practical action checklist

To translate this information into actionable security posture improvements, organizations can adopt the following practical checklist. It balances immediate remediation with long-term resilience, and it emphasizes defense-in-depth without sacrificing operational continuity.

Inventory and verify: Conduct a comprehensive inventory of all SharePoint on-premises deployments, including version numbers, edition (Subscription Edition, 2019, 2016, etc.), and exposure levels to the internet. Confirm which systems are affected by CVE-2025-53770 and which require CVE-2025-53771 patches.
Patch with urgency: Apply the latest security updates for CVE-2025-53770 and CVE-2025-53771 across all affected systems. Validate patch installation and ensure no unpatched instances remain accessible.
Rotate cryptographic material: Rotate ASP.NET machine keys and other server-side signing keys associated with SharePoint. Plan a controlled key rotation process that minimizes downtime and ensures all services reinitialize with new keys.
Restart and verify: Perform a structured IIS restart after key rotations. Validate that SharePoint services, authentication flows, and site functionality operate as expected post-restart.
Harden exposure: Review access exposure of on-premises SharePoint endpoints. Limit direct internet exposure where possible, implement VPN-based access with strong authentication, and deploy a Web Application Firewall (WAF) to inspect and block suspicious traffic.
Strengthen credential hygiene: Enforce strict password policies, rotate highly privileged credentials, and implement multi-factor authentication for administrative and service accounts involved with SharePoint.
Monitor for indicators: Implement or enhance monitoring for serialization anomalies, unusual VIEWSTATE handling, and suspicious token access patterns. Establish baselines and alert thresholds to enable rapid detection of potential compromises.
Validate indicators of compromise: Establish a repository of high-value indicators of compromise (IOCs) related to the ToolShell chain and the observed attack patterns. Use these indicators to guide ongoing threat hunting and remediation efforts.
Incident response readiness: Activate or exercise incident response playbooks specific to SharePoint breaches. Define roles, communication protocols, and escalation paths. Ensure coordination between security operations, IT, and business continuity teams.
Forensic readiness and lessons learned: Preserve evidence and artifacts from the breach for forensic analysis. Conduct post-incident reviews to identify root causes and implement lasting improvements to security architecture and governance.
Ongoing risk management: Reassess risk exposure on a regular cycle, integrating vulnerability management, governance, and compliance considerations. Align remediation activities with organizational risk tolerance and regulatory requirements.
Training and awareness: Provide targeted training for IT staff and security teams on the latest SharePoint security practices, patterns of exposure, and detection strategies. Promote a culture of proactive defense and continuous improvement.

Conclusion

The active exploitation of a nearly sovereignly dangerous vulnerability in SharePoint on-premises environments underscores the evolving reality of enterprise security. CVE-2025-53770, with its near-perfect score of 9.8 out of 10 for severity, represents a critical threat to organizations that maintain internally hosted SharePoint deployments. The emergence of ToolShell as a backdoor-based mechanism that capitalizes on cryptographic material and serialization pathways highlights a sophisticated attack model that adversaries are applying to gain persistent access and to steal credentials at scale. The related CVE-2025-53771 patch for SharePoint Subscription Edition and SharePoint 2019, along with broader protections around CVE-2025-49704 and CVE-2025-49706, marks an important step in curbing these exploit chains; however, as defenders have consistently observed, patching alone is insufficient to guarantee security.

Indeed, the explicit lessons from this event emphasize that a robust security posture for on-premises SharePoint requires a multi-layered approach. Organizations must implement timely patches, rotate machine keys, restart affected services, and enforce strict key management practices. They should also strengthen network defenses, reduce exposure to the internet, and enhance monitoring for signs of token theft, serialization anomalies, and webshell activity. By combining patch management with cryptographic hygiene, identity governance, and proactive threat hunting, enterprises can reduce the odds of persistent compromise and improve their resilience against current and future zero-day threats.

In the end, the ongoing investigation and remediation efforts offer a valuable opportunity to rethink how organizations approach on-premises collaboration platforms. The focus on secure serialization practices, careful handling of machine-level keys, and disciplined incident response can yield lasting improvements that extend beyond any single vulnerability. As defenders implement these lessons, they will be better positioned to protect sensitive data, maintain business continuity, and reduce the risk of disruptive breaches in an increasingly complex threat landscape.

Global Exploitation of 9.8-Severity SharePoint CVE-2025-53770 Lets Hackers Steal Credentials and Tokens; Patch Now and Rotate Keys

What the CVE-2025-53770 vulnerability means for SharePoint on-premises

Behind the exploit: how ToolShell enables remote code execution (high-level)

Global impact: observed attacks, waves, and indicators

Patch response and immediate mitigation steps

The technical core: serialization, ViewState, and cryptographic keys (high-level)

Recovery and long-term security posture

Lessons from history: comparing to prior SharePoint vulnerabilities and zero-day trends

Immediate steps for enterprises: a practical action checklist

MWC25: Netscout’s AI-Driven Strategy to Contain Cyber Threats in Telecom Networks

MWC25: Netscout Deploys AI-Driven Threat Intelligence and Automation to Fight Cyber Threats in Telcos

DTW Ignite 2025: AI to Transform Telco Strategies in Copenhagen

DTW Ignite 2025: AI-Driven Transformation of Telco Strategies in Copenhagen

Recent News

MongoDB Atlas powers Iron Mountain’s InSight Platform: a partnership accelerating AI-powered, scalable information management

How a MongoDB-Iron Mountain partnership is driving innovative information management

uTorrent 3.5.5 Build 45704: Ultra-Efficient Windows BitTorrent Client in a Tiny 3MB Package, Uses Less Than 6MB RAM

Two arson attacks strike Thailand’s Deep South: motorcycle bomb near Pattani checkpoint and rubberwood factory fire in Narathiwat, no injuries

Popular News

2025: Will It Be Another Dark Year for Construction With 100,000 Jobs at Risk?

Flydubai resumes Almaty and Nur-Sultan flights as its network expands to 24 destinations

Taiwan Cabinet to Seek Constitutional Court Ruling on Special Act Bill Containing NT$10,000 Cash Handout

What the CVE-2025-53770 vulnerability means for SharePoint on-premises

Behind the exploit: how ToolShell enables remote code execution (high-level)

Global impact: observed attacks, waves, and indicators

Patch response and immediate mitigation steps

The technical core: serialization, ViewState, and cryptographic keys (high-level)

Recovery and long-term security posture

Lessons from history: comparing to prior SharePoint vulnerabilities and zero-day trends

Immediate steps for enterprises: a practical action checklist

Related Posts