# SharePoint "ToolShell" RCE Exploit (CVE-2025-53770)
## Overview
**CVE-2025-53770** is a critical remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server 2016, 2019, and Subscription Edition (on-premises only, not SharePoint Online). Attackers can bypass authentication and achieve full server control by exploiting a logic flaw and unsafe deserialization. This exploit chain—publicly known as "ToolShell"—has been observed in active attacks.
## Technical Details
### Affected Versions
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
- *Not* applicable to SharePoint Online (Microsoft 365)
### Severity
- **CVSS Score**: 9.8 (Critical)
## Exploit Chain: Step-by-Step
### 1. Authentication Bypass
- The attacker sends a specially crafted HTTP POST request to the hidden management page:
`/_layouts/15/ToolPane.aspx?DisplayMode=Edit`
- The request contains a **forged Referer header**:
```
Referer: /_layouts/SignOut.aspx
```
- Due to a logic flaw, SharePoint treats this request as coming from a legitimate, authenticated session, granting access.
### 2. Remote Code Execution via Deserialization
- Using access to the privileged endpoint, the attacker submits a payload exploiting an unsafe deserialization bug, allowing arbitrary code execution.
- Typically, the attacker uploads a malicious ASPX web shell (e.g., `spinstall0.aspx`) to the SharePoint system directory.
### 3. Web Shell Deployment and Key Theft
- The web shell is executed, letting the attacker read sensitive SharePoint configuration files.
- The attacker extracts the server's **machine keys**:
- `ValidationKey`
- `DecryptionKey`
- These cryptographic keys protect user authentication tokens and session state (ViewState).
### 4. Full Server Takeover and Persistence
- With the keys, the attacker can create their own valid, signed payloads that SharePoint will trust and execute.
- This enables persistent RCE and allows bypass of most security controls, even after initial patching—unless the stolen keys are rotated.
## Impact
- **Total compromise** of on-premises SharePoint server:
- Arbitrary command execution
- File access/modification
- Data exfiltration
- Lateral movement throughout the internal network
- **Persistence:** Attackers maintain access using stolen machine keys until those keys are manually changed.
## Example Attack Flow (Diagram)
```mermaid
sequenceDiagram
participant Attacker
participant SharePoint Server
Attacker->>SharePoint Server: POST /ToolPane.aspx (with fake Referer)
SharePoint Server-->>Attacker: Grants admin access (auth bypass)
Attacker->>SharePoint Server: Uploads malicious web shell
Attacker->>SharePoint Server: Executes web shell to read config
SharePoint Server-->>Attacker: Returns ValidationKey and DecryptionKey
Attacker->>SharePoint Server: Sends forged, signed payloads (persistent RCE)
```
## Remediation
- **Apply Microsoft patches:**
[Official Advisory & Updates (Microsoft MSRC)](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)
- **Immediate machine key rotation** after compromise
- **Audit server for unauthorized ASPX files** and unusual activity
## References
- [CISA KEV Catalog - CVE-2025-53770](https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-four-known-exploited-vulnerabilities-catalog)
- [Microsoft MSRC Advisory](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)
- [Technical Write-up: "ToolShell" exploit](#)
*This document is for research and defensive purposes only. Do not attempt exploitation on systems you do not own or have explicit authorization to test.*
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view