Microsoft has released an emergency security update to patch a critical remote code execution (RCE) vulnerability in SharePoint Server that has been actively exploited in the wild. Tracked as CVE-2025-53770 and known publicly as “ToolShell,” the flaw allows unauthenticated attackers to execute arbitrary code on on-premises SharePoint installations. The vulnerability carries a CVSS score of 9.8, reflecting its severity and the low complexity required for exploitation. Security researchers and vendors, including Cloudflare and BleepingComputer, have confirmed that the exploit chain was being used in real-world attacks before a fix became available, with some campaigns delivering ransomware payloads.
Timeline of the ToolShell Vulnerability
Microsoft first acknowledged CVE-2025-53770 in late July 2025 through an MSRC blog post that warned of limited, targeted attacks against SharePoint servers. The advisory initially came without a patch, leaving administrators scrambling for mitigations. By early August 2025, proof-of-concept exploits began circulating publicly, and telemetry from multiple security vendors showed a spike in exploitation attempts. One week later, on August 12, Microsoft released an out-of-band security update that resolved the flaw. The National Vulnerability Database (NVD) published its official entry shortly thereafter, confirming the severity and the full impact of the vulnerability.
The disclosure timeline highlights a critical gap: the vulnerability was exploited for at least two weeks before a patch became available, giving attackers a substantial window to compromise unpatched systems. During that period, Cloudflare deployed emergency WAF rules to shield its customers, and incident responders observed the deployment of web shells and ransomware such as Warlock.
Technical Breakdown of the ToolShell Attack Chain
CVE-2025-53770 is not a single bug but a chain of two vulnerabilities that combine to achieve remote code execution without authentication. The first component is an authentication bypass that allows an attacker to reach a restricted SharePoint endpoint. The second is a deserialization flaw in that endpoint, which permits the execution of arbitrary code when specially crafted data is processed.
Authentication Bypass
The attack begins with a crafted HTTP request to a specific SharePoint page or service that normally requires authentication. By manipulating headers or parameters, an unauthenticated attacker tricks the server into processing the request as if it came from an authenticated user. The exact mechanism involves a flaw in how SharePoint validates tokens or session state for a particular component—details Microsoft has not fully disclosed to prevent further exploitation, but security researchers have identified that the vulnerable endpoint lies within the Business Connectivity Services (BCS) subsystem.
Unsafe Deserialization
Once past the authentication check, the attacker delivers a serialized .NET object. SharePoint’s built-in deserialization logic improperly trusts this object, leading to instantiation of attacker-controlled types. This classic “deserialization of untrusted data” vulnerability (CWE-502) is weaponized using known .NET gadgets that execute commands. In the ToolShell exploit, attackers typically use a chain that invokes Process.Start() to run arbitrary system commands, resulting in full server compromise with the privileges of the SharePoint application pool identity—often a domain account with significant access.
The overall attack flow is:
1. Attacker sends a POST request to a vulnerable BCS endpoint (e.g., /_layouts/15/BCSProxy.aspx or similar) with a forged authentication token.
2. The payload contains a serialized object crafted with ysoserial.net or similar tools.
3. SharePoint deserializes the object, triggering command execution.
4. The attacker gains a reverse shell or writes a web shell to disk for persistent access.
Vulnerability Impact and Affected Products
CVE-2025-53770 affects the following on-premises SharePoint versions:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Server 2016
SharePoint Online is not affected, as Microsoft’s cloud infrastructure had already been hardened against the underlying deserialization attack. However, any on-premises SharePoint farm that is internet-facing—or even accessible from a compromised internal system—is at extreme risk.
Because the vulnerability requires only network access and no user interaction, it qualifies for the highest CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An attacker can achieve complete confidentiality, integrity, and availability impact, effectively taking over the server.
In the wild, attackers used CVE-2025-53770 to:
- Deploy web shells (with names like toolshell.aspx, cmd.aspx, or e3kvo5hz.aspx)
- Execute PowerShell-based post-exploitation toolkits
- Drop and execute ransomware, notably a variant of “Warlock” ransomware, which encrypts files and appends the .warlock extension
- Move laterally within the network using the SharePoint server as a pivot point
Indicators of Compromise (IOCs)
Detection and hunting teams should look for the following signs of exploitation:
File-Based IOCs
| Indicator | Description |
|---|---|
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\toolshell.aspx |
Common web shell path |
C:\Windows\Temp\svchost.exe or unusual executables in temp directories |
Malicious binaries dropped during exploitation |
Any new .aspx files in SharePoint’s _layouts directories |
Web shells often placed here to blend in |
Files with .warlock extension |
Ransomware-encrypted files |
Network IOCs
- HTTP POST requests to
/_layouts/15/BCSProxy.aspxwith unexpected parameters or large payloads - Outbound connections from the SharePoint server to known malicious IPs or domains on high ports (e.g., 4444, 8080) indicative of reverse shells
- Anomalous usage of
powershell.exeorcmd.exespawned by thew3wp.exeprocess (SharePoint worker process)
Windows Event Log IOCs
- Event ID 4688:
w3wp.exelaunchingcmd.exeorpowershell.exewith encoded commands - Event ID 5156: Windows Filtering Platform (WFP) permitting outbound connections from
w3wp.exeto suspicious remote addresses
Mitigation and Remediation Steps
Apply the Security Update
Microsoft’s August 2025 patch (KB5038523 for SharePoint Server Subscription Edition, and corresponding updates for 2019 and 2016) fully resolves the vulnerability. Install this update immediately on all SharePoint servers in the farm. The update modifies the BCSServiceHost component to reject untrusted serialized types and strengthens authentication checks on the vulnerable endpoint.
Rotate Machine Keys
Because the deserialization flaw relies on the server’s machine key to sign or encrypt the malicious payloads, it is critical to rotate the machineKey element in the web.config files of all SharePoint web applications. Attackers who have captured a valid machine key can still exploit the vulnerability even after patching if the key is not changed. Microsoft provides a PowerShell script to automate this rotation across the farm.
Review and Disable Unnecessary Features
If your organization does not use Business Connectivity Services, disable the feature at the farm and site collection levels. This reduces the attack surface even if a new bypass is discovered. Additionally, restrict access to the _layouts virtual directory using URL rewrite rules or IP restrictions.
Deploy Web Application Firewall (WAF) Rules
Cloudflare, F5, and other WAF vendors have released specific rules to detect and block CVE-2025-53770 exploitation attempts. For example, a Cloudflare WAF rule matches requests to /_layouts/15/BCSProxy.aspx containing serialized .NET data. If you manage your own WAF, create custom rules that inspect for the presence of __type parameters or known gadget chains in POST bodies to the BCS endpoint.
Enable Antimalware and AMSI
SharePoint servers should have the Windows Antimalware Scan Interface (AMSI) enabled and integrated with your endpoint protection platform (e.g., Microsoft Defender for Endpoint). AMSI can detect malicious scripts and web shells as they are written to disk or executed in memory. Configure real-time protection policies to quarantine any suspicious .aspx files immediately.
Detection and Threat Hunting Queries
Microsoft Defender for Endpoint (MDE) / Defender XDR
DeviceProcessEvents
| where InitiatingProcessFileName == "w3wp.exe"
| where ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd.exe"
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-command"
| project Timestamp, DeviceName, ProcessCommandLine
Splunk / Generic SIEM
index=windows source="WinEventLog:Security" EventCode=4688
(ProcessCommandLine="*powershell*" OR ProcessCommandLine="*cmd.exe*") ParentProcessName="w3wp.exe"
| table _time, host, ProcessCommandLine
YARA Rule for Web Shell Detection
rule SharePoint_WebShell_ToolShell {
meta:
description = "Detects known ToolShell web shells"
author = "WindowsForum Threat Intel"
date = "2025-08-15"
hash = ""
strings:
$pattern1 = "System.Security.Cryptography" ascii wide
$pattern2 = "HttpContext.Current.Server" ascii wide
$toolshell = "toolshell" ascii nocase
condition:
filesize < 10KB and
($pattern1 and $pattern2) or $toolshell
}
Network Detection (Suricata / Snort)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE-2025-53770 SharePoint BCS Deserialization Exploit"; flow:to_server,established; content:"POST"; http_method; content:"/_layouts/15/BCSProxy.aspx"; http_uri; content:"__type"; http_client_body; reference:cve,2025-53770; classtype:attempted-admin; sid:202553770; rev:1;)
Risk and Response Advice for Administrators
Organizations running on-premises SharePoint must treat CVE-2025-53770 as a top-priority emergency. The combination of pre-auth RCE, public exploit code, and active ransomware deployment makes this one of the most dangerous SharePoint vulnerabilities since CVE-2019-0604. Even if your SharePoint servers are not exposed to the internet, an attacker with a foothold on the internal network could exploit this flaw to escalate privileges and move laterally.
If you suspect compromise, initiate incident response procedures immediately:
- Isolate the affected SharePoint server from the network after capturing memory and disk images.
- Analyze IIS logs for the patterns described above, especially POST requests to BCS endpoints around the suspected intrusion date.
- Check for newly created local or domain accounts, scheduled tasks, and services that may indicate persistence.
- Assume the attacker may have extracted credentials; force password resets for all accounts that have logged into the server.
After remediating, conduct a thorough security audit of the SharePoint farm, including a review of all custom solutions, third-party web parts, and service application configurations. Engage with Microsoft Support if any anomalies are found.
Board-Level Summary
A critical vulnerability in Microsoft SharePoint (CVE-2025-53770) enables attackers to take full control of unpatched servers remotely, without a password. Exploits are public and have been used to deploy ransomware. The fix is available and must be applied immediately to prevent data loss, operational disruption, and potential regulatory penalties. All internet-facing SharePoint servers should be considered compromised until proven otherwise.
Conclusion
CVE-2025-53770 serves as a stark reminder that even mature, enterprise platforms like SharePoint can harbor deeply rooted flaws. The ToolShell exploit chain underscores the importance of prompt patching, defense-in-depth strategies such as WAF and AMSI, and continuous monitoring for early signs of compromise. For the many organizations still running on-premises SharePoint, this incident reinforces the need for rigorous vulnerability management and incident response preparedness. Apply the patch, rotate your machine keys, and verify your detections—the attackers are not slowing down.