SafeBreach Coverage for CVE-2025-53770: ToolShell Exploits Targeting Microsoft SharePoint

A newly disclosed zero-day vulnerability in Microsoft SharePoint Server — CVE-2025-53770 — is currently being exploited in the wild and poses a critical threat to organizations running on-premises SharePoint instances. Dubbed part of the emerging “ToolShell” attack campaign, this vulnerability enables unauthenticated remote code execution (RCE), full system compromise, and persistent backdoor installation—even bypassing traditional controls like multi-factor authentication (MFA).

The SafeBreach Labs team has swiftly responded, providing immediate coverage for post-exploitation webshell activity and new simulations for webshell communication behaviors, helping organizations validate their exposure and proactively assess their security posture in light of this escalating threat.

What is CVE-2025-53770?

CVE-2025-53770 is a critical insecure deserialization flaw (CWE-502) in SharePoint Server 2016, 2019, and Subscription Edition, with a CVSS score of 9.8. This vulnerability allows attackers to send specially crafted serialized objects to vulnerable SharePoint servers, which then deserialize and execute malicious code—all without requiring authentication.

This flaw is a variant of previous SharePoint vulnerabilities (CVE-2025-49704 and CVE-2025-49706), and attackers have already adapted their tactics to bypass earlier mitigations.

Why This Matters: ToolShell & Persistent Compromise

Once exploited, CVE-2025-53770 grants attackers full remote access to the SharePoint server. Attackers have been observed:

• Dropping webshells (e.g., spinstall0.aspx) to maintain persistent access
• Stealing the MachineKey from SharePoint’s configuration files, allowing them to forge authentication tokens, even after patching
• Using forged ViewState payloads to maintain ongoing code execution within the IIS worker process
• Launching lateral movement, credential theft, and data exfiltration from connected systems like Teams, Outlook, or OneDrive

SafeBreach research has identified this campaign as a significant evolution in webshell-based exploitation—combining stealth, persistence, and bypass techniques previously unseen in SharePoint-focused attacks.

SafeBreach Coverage & Playbook Attack Updates

As part of our rapid response initiative, SafeBreach Labs has released new coverage to help customers:

• Detect the presence of known webshells deployed via CVE-2025-53770 exploitation
• Simulate command-and-control (C2) communication with webshell backdoors
• Validate whether existing endpoint or network controls can detect or block these techniques

This ensures our customers can immediately run breach and attack simulations (BAS) to measure and strengthen their defenses against the real-world behaviors observed in ToolShell attacks.

New IOC-Based SafeBreach Simulations

The Labs team added the following new simulation coverage:

• #10943 – Write CVE-2025-53770 webshell to disk
• #10944 – Transfer CVE-2025-53770 webshell over HTTP/S
• #10945 – (Duplicate) Transfer CVE-2025-53770 webshell over HTTP/S
• #10946 – Email CVE-2025-53770 webshell as a compressed attachment
• #10947 – (Duplicate) Email CVE-2025-53770 webshell as a compressed attachment

Recommendations for Customers

We strongly urge organizations—especially those in regulated industries or with exposed SharePoint infrastructure—to:

• Run SafeBreach simulations associated with CVE-2025-53770 to test current detection and response capabilities
• Apply Microsoft’s emergency patches for SharePoint Server 2019 and Subscription Edition
• For SharePoint Server 2016 (still unpatched), implement interim mitigations including server isolation and AMSI integration
• Rotate the ASP.NET MachineKey after patching to eliminate persistent access
• Initiate a full forensic investigation for any exposed and unpatched servers, assuming compromise

How to Run the Scenario in the SafeBreach Platform 

From the Attack Playbook, search by tag CVE-2025-53770 to explore individual simulations.

Stay Proactive, Stay Resilient

CVE-2025-53770 highlights how quickly adversaries adapt to patch gaps and leverage persistent access mechanisms like webshells. By incorporating adversary behavior into your validation program, SafeBreach helps ensure that your defenses aren’t just theoretical—they’re tested, verified, and resilient.

For customers seeking more information on specific simulation IDs or guidance tailored to your environment, please reach out to your SafeBreach representative or contact [email protected]. If you’re not a customer and would like to see the platform in action, schedule a customized demo today.