Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more

SharePoint Under Fire: What Every IT Team Needs to Know About CVE-2025-53770

A critical vulnerability in SharePoint is being actively exploited right now, and it's hitting organizations hard. What do IT teams need to know?

July 21, 2025
Watch now
Tech Brief Vulnerability Assessment Incident Response & Forensics

If you're running SharePoint on-premises, you need to stop what you're doing and read this. A critical vulnerability is being actively exploited right now, and it's hitting organizations hard. 

The Problem 

CVE-2025-53770 scored an 8.8 on the severity scale for good reason. Attackers are targeting a specific component in SharePoint – the toolpane.aspx file – to steal cryptographic keys that protect your data. Once they have these keys, they can create malicious payloads that give them complete control of your server. 

The attack pattern is concerning. Most exploitation attempts are coming from US-based IP addresses, and we're already seeing government agencies hit with wiper attacks that security researchers believe are connected to this vulnerability. 

Here's what makes this particularly nasty: the exploit doesn't just give attackers a foothold – it hands them the keys to the kingdom. They're dropping web shells directly onto compromised servers, creating persistent backdoors for future access. 

Who's At Risk 

This only affects on-premises SharePoint installations. If you're using SharePoint Online or Office 365, you can breathe easier – Microsoft has you covered there. But if you've got SharePoint running in your data center or on local servers, you're in the crosshairs. 

CISA has already added this to their Known Exploited Vulnerabilities catalog, which means they consider it a clear and present danger to critical infrastructure. 

What You Need to Do Right Now 

First, patch immediately. Microsoft released fixes in their July Patch Tuesday updates. This isn't a "get to it next week" situation – this is a "drop everything and patch now" moment. 

Second, start hunting. You need to know if you've already been compromised. Look for any access attempts to toolpane.aspx paths in your logs. Check for new files or processes that appeared recently, especially anything running under your SharePoint service account. 

For those using Microsoft Defender for Endpoint, here are two KQL queries that can help identify potential compromise: 

Query 1 - File Activity Detection: 

DeviceFileEvents 
| where FolderPath has_any ( 
    @'microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS', 
    @'microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS' 
) 
| where FileName has "spinstall0" 
| project  
    Timestamp,  
    DeviceName,  
    InitiatingProcessFileName,  
    InitiatingProcessCommandLine,  
    FileName,  
    FolderPath,  
    ReportId,  
    ActionType,  
    SHA256 
| order by Timestamp desc  

Query 2 - Process Activity Detection: 

DeviceProcessEvents 
| where InitiatingProcessFileName has "w3wp.exe" 
    and InitiatingProcessCommandLine !has "DefaultAppPool" 
    and FileName =~ "cmd. exe" 
    and ProcessCommandLine has_all ("cmd. exe", "powershell") 
    and ProcessCommandLine has_any ("EncodedCommand", "-ec") 
| extend CommandArguments = split(ProcessCommandLine, " ") 
| mv-expand CommandArguments to typeof(string) 
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$" 
| extend B64Decode = replace("\\x00", "",  
    base64_decodestring(tostring(CommandArguments)))   
| where B64Decode has_any ( 
    "spinstall0",  
    @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', 
    @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS' 
)

These queries look for the specific indicators that researchers have identified with this attack campaign. 

The Bigger Picture 

This vulnerability was first demonstrated at Pwn2Own Berlin back in May, giving the security community months to understand the attack mechanics. That research period helped, but it also gave attackers time to weaponize the technique. 

The fact that we're seeing active exploitation so quickly after public disclosure shows how attractive this target is. SharePoint often sits at the heart of an organization's collaboration infrastructure, making it a high-value target for attackers. 

A Word of Advice 

If your SharePoint is exposed directly to the internet, fix that immediately. SharePoint was never designed to face the open web without proper protection. The combination of this vulnerability and internet exposure is a recipe for disaster. 

This incident reminds us why patch management can't be treated as a routine maintenance task. When Microsoft releases emergency guidance and CISA issues alerts, it's time to move fast. 

The good news is that Microsoft has provided clear remediation steps and the security community has shared solid detection guidance. The bad news is that attackers are already using this in the wild. 

Don't wait for the perfect maintenance window. Patch now, hunt for compromise, and make sure your SharePoint isn't hanging out on the internet like a digital welcome mat. 

If you need help and are interested in TrustedSec's Incident Response or other security services, please feel free to contact us!

Watch the Video Breakdown

References: CISA Alert, Microsoft Security Response Center