Back

Navigating The Microsoft SharePoint Exploit

Publication date: 2025-07-21
WARNING

Are Your SharePoint Servers Vulnerable?

 

On July 18, 2025, security researchers confirmed active exploitation of CVE‑2025‑53770, a critical remote code execution flaw in on‑premises Microsoft SharePoint Server, used in large‑scale campaigns against internet‑facing farms 1. For a fully annotated breakdown—including a live Q & A and an AI Assistant you can consult—visit our detailed report at https://basefortify.eu/cve_reports/2025/07/cve-2025-53770.html.

 

What Is CVE‑2025‑53770?

 

CVE‑2025‑53770 arises from improper object deserialization in SharePoint’s ToolPane.aspx edit endpoint. An attacker can send a crafted POST to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and achieve unauthenticated remote code execution under the SharePoint service account 1.

 

Who Is Affected?

 

This issue impacts on‑premises installations only:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server Enterprise 2016

SharePoint Online (Microsoft 365) is not affected.

 

How to Detect If You’re Vulnerable


# 1. Check for installed hotfixes
Get-HotFix -Id KB5002768 -ErrorAction SilentlyContinue |
  Select-Object InstalledOn, Description

Get-HotFix -Id KB5002754 -ErrorAction SilentlyContinue |
  Select-Object InstalledOn, Description

# 2. Verify SharePoint build version
$build = (Get-SPFarm).BuildVersion
Write-Host "SharePoint Build Version: $build"
Edition Minimum Patched Build
SharePoint Server 2019 16.0.10417.20027 or later
SharePoint Enterprise Server 2016 16.0.5508.1000 or later

 

Mitigation and Remediation

 

1. Apply Official Security Updates

Subscription Edition: KB5002768
SharePoint Server 2019: KB5002754
SharePoint Server 2016: monitor Microsoft guidance for the July 2025 roll‑up.

2. Enable AMSI Integration

Ensure your antivirus supports the Antimalware Scan Interface (AMSI):

Get-MpPreference | Select-Object DisableRealtimeMonitoring

3. Rotate ASP.NET Machine Keys

After patching:

Update-SPMachineKey
iisreset

4. Temporary Endpoint Block

As an interim measure, block unauthenticated POSTs to ToolPane.aspx:

Import-Module WebAdministration
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' `
  -filter "system.webServer/security/requestFiltering/hiddenSegments" `
  -name "." -value @{segment='ToolPane.aspx'}

Why BaseFortify.eu?

 

At BaseFortify.eu, we simplify vulnerability management. With a single PowerShell script, you can inventory all your applications and operating systems, then upload that data to our platform. Whenever a new CVE matches one of your components, our system instantly notifies you and provides tailored mitigation steps—so you never miss a critical update.

Ready to take control of your security? Register for free at BaseFortify.eu today to start inventorying your applications and operating systems, receive real‑time vulnerability alerts, and access tailored mitigation guidance—all at no cost.

 

References

 

  • Microsoft Security Update Guide: KB5002768, KB5002754
  • CISA Known Exploited Vulnerabilities Catalog
  • BaseFortify Annotated Report: CVE‑2025‑53770
  • Security Research: “ToolShell” exploitation campaigns