What Happened
-
On July 19, 2025, Microsoft publicly disclosed CVE‑2025‑53770, a critical zero‑day remote code execution (RCE) vulnerability in on‑premises SharePoint Server (2016, 2019, Subscription Edition, and unsupported 2010/2013 versions) with a CVSS score of 9.8/10
-
The vulnerability enables attackers to send malicious serialized data to execute arbitrary code without authentication. The exploit is part of an attack chain dubbed “ToolShell”, which also allows attackers to steal cryptographic keys (ValidationKey, DecryptionKey) for persistent unauthorized access
How Cloudflare Responded
-
Cloudflare rapidly released two emergency WAF Managed Rules—one targeting CVE‑2025‑53770 and another for CVE‑2025‑53771 (the authentication bypass) by July 21, 2025.
-
These rules automatically block exploit attempts for Cloudflare WAF customers, offering virtual protection while organizations apply patches
-
Traffic logs showed a spike of ~300,000 blocked attempts in just a few hours around 11 AM UTC on July 22, underscoring the exploit’s broad use in live attacks
What SharePoint Administrators Should Do
-
Apply Microsoft’s emergency security updates immediately:
-
KB5002768 for Subscription Edition
-
KB5002754 for SharePoint 2019
-
KB5002760 for SharePoint 2016 (later release)
-
-
Enable Antimalware Scan Interface (AMSI) and deploy Microsoft Defender Antivirus on all on‑prem SharePoint servers—or else disconnect them from the public internet until protected
-
Rotate ASP.NET machine keys (ValidationKey, DecryptionKey) and restart IIS after patching, or multiple times, to disrupt persistence by attackers
-
Scan for Indicators of Compromise (IoCs): monitor POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit
, spoofed Referer headers (to/_layouts/SignOut.aspx
), rogue.aspx
web shells such asspinstall*.aspx
, and suspicious.dll
payloads -
Update WAF/IPS signatures and logging rules to detect exploit patterns, and conduct threat hunting using published IoC sets
-
Consider disconnecting legacy or unsupported SharePoint instances (2010/2013) from the internet entirely
Why This Matters
-
Active exploitation of ToolShell began as early as July 17–18, 2025, targeting organizations across high‑tech, finance, education, healthcare, and government sectors globally
-
CISA added CVE‑2025‑53770 to its Known Exploited Vulnerabilities (KEV) list, enforcing urgent remediation timelines
-
News reports indicate over 400 organizations—including U.S. government agencies such as the National Nuclear Security Administration—have been affected
-
The compromise potentially grants attackers long‑lasting control via stolen cryptographic keys, enabling impersonation, lateral movement, and future malicious activity despite patching—unless mitigation steps like key rotation are followed
Leave a Reply