CVE-2025-53770 Detection: Microsoft SharePoint Zero-Day Vulnerability Is Actively Exploited for RCE Attacks – Source: socprime.com

This summer saw a surge of critical vulnerabilities impacting Microsoft products. A new RCE vulnerability in Windows, tracked as CVE-2025-33053, had been actively weaponized by the Stealth Falcon APT group. At the same time, another severe flaw, dubbed EchoLeak (CVE-2025-32711), was uncovered in Microsoft Copilot, enabling silent data exfiltration via email with no user interaction required.

With those vulnerabilities still fresh in memory, attention has shifted to another high-impact threat named ToolShell. The novel zero-day (CVE-2025-53770) used in these attacks is a variant of the recently patched SharePoint RCE vulnerability (CVE-2025-49704) currently exploited in the wild. Attackers leverage it to deploy backdoors on compromised on-premises SharePoint servers and extract security keys, opening the door to full system compromise.

Detect CVE-2025-53770 Exploitation Attempts 

With over 1.4 billion devices powered by Windows and the global reliance on its services, Microsoft remains at the core of today’s digital ecosystem. The 2025 BeyondTrust Microsoft Vulnerabilities Report revealed a record-breaking 1,360 disclosed vulnerabilities in 2024, an 11% rise over the previous high. This upward trend underscores the expanding attack surface and the urgent need for organizations to proactively adapt to an ever-evolving threat landscape.

Sign up for the SOC Prime Platform to access real-time cyber threat intelligence and curated detection algorithms addressing CVE-2025-53770 exploitation attempts. The Platform also equips SOC teams with a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. 

Explore Detections

Cyber defenders seeking more detection content addressing vulnerability exploitation attempts might browse the Threat Detection Marketplace using “CVE” tag.

All detections can be used across multiple SIEM, EDR, and Data Lake technologies and are aligned with the MITRE ATT&CK framework to facilitate threat investigation. SOC Prime Platform equips security teams with high-quality detection content enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. 

Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs into actionable hunting queries, craft detection rules from raw threat reports, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-53770 Analysis

Two critical zero-day flaws in Microsoft SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, have been used in in-the-wild attacks since at least July 18, with no official patch released yet and over 85 servers confirmed affected worldwide.

CVE-2025-53770, a highly critical security vulnerability with a CVSS of 9.8, is considered a variant of the previously patched CVE-2025-49704, a code injection and RCE flaw addressed by Microsoft in its July 2025 Patch Tuesday release. The exploitation activity dubbed “ToolShell” allows attackers to gain unauthenticated access to vulnerable systems, providing full access to SharePoint content, including file storage and internal configurations, and enabling RCE across the network.

CVE-2025-53770 involves deserialization of untrusted data in on-premises SharePoint instances, which allows RCE by an unauthenticated attacker across the network. After gaining access, adversaries can forge trusted payloads, enabling persistence or lateral movement while masquerading as legitimate SharePoint operations. 

In the customer guidance, Microsoft has confirmed that adversaries are actively weaponizing vulnerabilities in on-premises SharePoint Server systems, which were only partially mitigated in the July Security Update. Both security issues affect only on-premises deployments, while SharePoint Online in Microsoft 365 remains unaffected.

To fully address the risks linked to the above-mentioned flaws, the vendor has issued security updates for SharePoint Subscription Edition and SharePoint Server 2019. The company strongly recommends installing these updates without delay to safeguard their environments. Microsoft also stated that a complete fix is undergoing thorough testing and will be released in a future update. 

Until a full patch is released, the vendor strongly advises enabling AMSI integration in SharePoint and running Microsoft Defender Antivirus on all SharePoint servers. If AMSI can’t be activated, vulnerable SharePoint servers should be disconnected from the internet as a precaution. 

On July 20, CISA issued an alert confirming active exploitation of CVE-2025-53770. As potential CVE-2025-53770 mitigation measures, CISA urges organizations to review the corresponding Microsoft’s security updates, keep an eye out for suspicious POST requests to /ToolPane.aspx?DisplayMode=Edit, scan for IPs, like 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, update IPS/WAF rules, enable detailed event logging, and reduce layout and admin privileges.

CISA swiftly collaborated with Microsoft to coordinate a response and alert organizations about essential mitigations. This case underscores the critical role of operational collaboration between researchers, technology providers, and CISA in enabling fast threat identification and a unified defense to safeguard national and homeland security.

Collective cyber defense and coordinated efforts among governments, private sector vendors, and the security research community are essential to countering modern threat actors, enabling faster detection, response, and resilience in the face of attacks of increasing sophistication. SOC Prime Platform for collective cyber defense, backed by AI, automation, real-time threat intel, and built on zero-trust principles, helps global organizations outscale cyber threats that employ critical vulnerabilities and zero-days while building a resilient cybersecurity posture.