Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
SharePoint ToolShell zero-days CVE-2025-53770 and 53771
July 23, 2025

SharePoint zero-day vulnerabilities CVE-2025-53770 and 53771 exploited by ToolShell

Written by:

Rayton Li, Threat Specialist and John Moutos, Threat Intelligence Team Lead

Table of contents

Text Link

What is ToolShell?

ToolShell refers to a set of critical, actively exploited vulnerabilities on all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016), which results in unauthenticated remote code execution when chained.

Successful exploitation of ToolShell requires an attacker to first leverage CVE-2025-53771, a path traversal vulnerability, which allows attackers to access the SharePoint “ToolPane.aspx” system page unauthenticated.  

A crafted request containing a malicious payload can be sent to the “ToolPane.aspx” page to leverage CVE-2025-53770, a deserialization vulnerability. This can be combined with untrusted data from an unauthenticated source to allow for remote code execution, which can be used to deploy malware on the server and gain a foothold in the environment.

Affected versions of SharePoint

  • SharePoint Enterprise Server 2016: Versions 16.0.0 - 16.0.5513.1001
  • SharePoint Server 2019: Versions 16.0.0 - 16.0.10417.20037
  • SharePoint Server Subscription Edition: Versions 16.0.0 - 16.0.18526.20508

How these vulnerabilities can be leveraged

Unauthenticated remote code execution on accessible unpatched on-premises SharePoint servers provides attackers an initial access foothold into target environments, allowing attackers to pivot throughout the environment, exfiltrate sensitive data, deploy additional malicious software (such as ransomware), and utilize compromised infrastructure to attack additional target organizations.

Recommendations for everyone

Immediately apply the latest cumulative updates for SharePoint Server (2016, 2019, Subscription Edition).

Enable the Antimalware Scan Interface (AMSI) integration in SharePoint and ensure it is configured to use “Full Mode”.

Rotate ASP.NET machine keys for any SharePoint servers publicly accessible from the internet.

Additional recommendations for ThreatLocker customers

Organizations with Network Control should restrict access to on-premise SharePoint to only ThreatLocker-secured devices.  

Organizations with ThreatLocker Detect can download the following Community policies and configure them to alert and respond automatically by enabling Application Control or Network Control policies.

  • TL.AAL.918 - Suspicious Child Process From w3wp.exe
  • TL.SC.1200 - Spinstall0 File Created

Organizations with Cyber Hero® Managed Detection and Response are already protected and will be promptly notified if activity identified as “ToolShell” exploitation occurs.

ABOUT THE AUTHOR

TAKE CONTROL OF YOUR ORGANIZATION'S SECURITY

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker

Ready to try out the ThreatLocker® platform?

Request a free 30-day trial today and see how ThreatLocker can take your organization's security to the next level.

Click X to close