Critical SharePoint Zero-Day CVE-2025-53770 Under Exploit

Overview: Security teams worldwide are sounding the alarm over a CVSSv3 9.8 severity remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server. Tracked as CVE-2025-53770, attackers are exploiting flaws in ASP.NET ViewState serialization to steal MachineKey material, forge valid __VIEWSTATE payloads, and escalate privileges across corporate networks.

Vulnerability Details and Exploitation Chain

The root issue lies in how SharePoint processes serialized ViewState and other ASP.NET data structures. By leaking the ValidationKey from memory or configuration, adversaries can bypass signature checks, craft signed payloads via ysoserial, and execute arbitrary commands.

1. Initial Access: Unauthenticated HTTP request to /_layouts/15/start.aspx to harvest __VIEWSTATEGENERATOR.
2. Key Extraction: Exploit chain combining CVE-2025-49704 and CVE-2025-49706 (demonstrated at Pwn2Own Berlin) reads MachineKey (ValidationKey + DecryptionKey).
3. Payload Generation: Use ysoserial.exe -p ViewState -g TypeConfuseDelegate with extracted keys to produce a signed __VIEWSTATE for RCE.
4. Remote Code Execution: Submit malicious __VIEWSTATE to /_layouts/15/success.aspx, triggering PowerShell or C# based payloads without authentication.

“This wasn’t your typical webshell. Instead of reverse shells or C2 beacons, ToolShell invoked .NET internals to extract MachineKey material, enabling arbitrary signed payloads.” – Eye Security Research

Patch and Mitigation Steps

• Apply Microsoft’s emergency updates for SharePoint Subscription Edition and SharePoint 2019 (patches released July 22, 2025).
• For SharePoint 2016 (unpatched), deploy the Antimalware Scan Interface and block inbound HTTP(S) to /_layouts/15/.
• Rotate all ASP.NET MachineKey values and perform an IIS restart to invalidate stolen keys.
• Conduct endpoint forensics: search for atypical Fiddler or ysoserial invocations and anomalous __VIEWSTATE parameter sizes.

Attack Timeline and Attribution

According to Eye Security, two major attack waves occurred on July 18 (18:00 UTC) and July 19 (07:30 UTC), targeting dozens of global organizations. Federal agencies in the U.S. (The Washington Post reports) have confirmed intrusions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on July 20, listing IOCs and recommending enhanced logging of MachineKey access patterns.

Detection and Incident Response Strategies

Beyond patching, defenders must implement network and application-layer controls:

• Web Application Firewall (WAF): Create custom rules to verify ViewState signatures against known keysets.
• Behavioral Monitoring: Alert on anomalous POST requests to /_layouts/15/success.aspx or excessive ViewState sizes (>1 MB).
• Forensic Imaging: Capture memory dumps of SharePoint front-end servers to detect in-memory key extraction routines.
• Credential Hygiene: Rotate service accounts, implement MFA on SharePoint admin accounts, and audit usage of admin-privileged tokens.

Long-Term Mitigation and Secure Configuration

Organizations should review their patch management and system hardening policies:

1. Least Privilege: Limit the SharePoint Pool identity to only required file system and registry permissions.
2. Configuration Encryption: Move MachineKey sections into encrypted registry or Azure Key Vault for cloud-hybrid deployments.
3. Regular Red-Team Exercises: Simulate ViewState attacks using custom ysoserial modules to validate detection capabilities.
4. Supply Chain Audits: Vet third-party SharePoint add-ins that may expose unintended serialization endpoints.

Expert Opinion

Amanda Rousseau, Director of Research at Black Hills Information Security, notes: “This vulnerability underscores the risk of unchecked ViewState processing. Even after patching, stolen MachineKeys persist until rotated, enabling stealthy post-exploit chaining.”

Key Takeaways

• Assume compromise: past exploits may have already stolen critical cryptographic material.
• Patching alone is insufficient; full key rotation, forensic validation, and network segmentation are mandatory.
• Stay vigilant for new CVE variants targeting ASP.NET serialization mechanisms.