Medium

SharePoint ToolShell authentication bypass / spoofing vulnerability

IdentifiersCVE-2025-53771CWE-22

CVE-2025-53771 is a Microsoft Office SharePoint vulnerability associated with the ToolShell exploit chain and described by Microsoft as an improper authentication / spoofing issue. The provided content also repeatedly characterizes it as a path traversal variant and as a security bypass for the earlier CVE-2025-49706 fix. Technical reporting in the content states the vulnerable logic is in Microsoft.SharePoint.dll, specifically SPRequestModule.PostAuthenticateRequestHandler(), where authentication could be skipped for requests influenced by SignOut.aspx referrer handling. Microsoft’s earlier July 2025 fix for CVE-2025-49706 added ToolPane.aspx-specific checks, but researchers reported that this could be bypassed, including by modifying the request path (for example, appending a trailing slash). Microsoft subsequently issued CVE-2025-53771 as a more comprehensive fix, replacing the narrow ToolPane.aspx check with an allowlist of permitted paths for requests using the sign-out page as referrer. In practice, CVE-2025-53771 was used as the authentication/spoofing bypass component of ToolShell and could be chained with CVE-2025-53770 to enable unauthenticated exploitation of on-premises SharePoint servers.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

By itself, successful exploitation allows an attacker to bypass intended authentication checks and spoof request context over the network against vulnerable on-premises SharePoint servers. In the observed ToolShell chain, this bypass removes the authentication requirement needed to reach the vulnerable code path used by CVE-2025-53770, enabling unauthenticated remote compromise. Reporting in the provided content ties the chain to full server takeover, web shell deployment, theft of SharePoint ASP.NET MachineKeys, bypass of MFA/SSO through key theft and forged ViewState scenarios, credential theft, lateral movement, persistence, data theft, and in some cases ransomware deployment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, Microsoft’s guidance in the provided content recommends enabling and correctly configuring AMSI in SharePoint, preferably with Full Mode HTTP request body scanning, and deploying Microsoft Defender Antivirus / Defender for Endpoint or equivalent protections on all SharePoint servers. If AMSI cannot be enabled, disconnect internet-facing SharePoint servers from the Internet until patched, or restrict unauthenticated access through a VPN, reverse proxy requiring authentication, or an authentication gateway. Monitor for exploitation artifacts such as suspicious POST requests to /_layouts/15/ToolPane.aspx, creation of web shells like spinstall0.aspx in SharePoint LAYOUTS directories, suspicious w3wp.exe child processes, and signs of MachineKey theft. Rotate SharePoint ASP.NET machine keys and restart IIS as a containment step if compromise is suspected.

Remediation

Patch, then assume compromise.

Apply Microsoft’s comprehensive July 2025 SharePoint security updates that specifically address CVE-2025-53771 on supported on-premises versions: SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. The content indicates CVE-2025-53771 was released to fix bypasses of the earlier CVE-2025-49706 patch, so organizations should not rely solely on the original July 8, 2025 update. After patching, rotate SharePoint ASP.NET machine keys and restart IIS, because post-exploitation activity commonly involved theft of MachineKey material. Ensure the environment is fully updated with cumulative SharePoint security updates rather than partial or superseded fixes.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationSharepoint Serverapplication

Microsoft CorporationSharepoint Server 2016application

Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

171 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

171 SOURCESView more in app

help net securityNews

Mar 24, 2026

Attackers are handing off access in 22 seconds, Mandiant finds - Help Net Security

A Microsoft SharePoint Server vulnerability used in combination with CVE-2025-53770 in the ToolShell exploit chain and exploited in the wild.

cyberscoopNews

Feb 25, 2026

Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks | CyberScoop

A Microsoft SharePoint zero-day vulnerability (not further described in the content) reported as one of the most routinely targeted and exploited-in-the-wild vulnerabilities of 2025.

dark readingNews

Jan 27, 2026

Microsoft Rushes Emergency Patch for Office Zero-Day

A SharePoint vulnerability referenced as being chained with CVE-2025-53770 in attacks targeting US government agencies and others.

polyswarmNews

Jan 5, 2026

PolySwarm’s 2025 Year in Review

A zero-day vulnerability in Microsoft SharePoint servers exploited by Chinese APT Linen Typhoon for initial access and espionage.

+44 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence28

Every observed campaign linking this CVE to a named adversary.

Associated malware22

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity122

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-53771

NVD

nvd.nist.gov/vuln/detail/CVE-2025-53771

MITRE CWE · CWE-22

cwe.mitre.org

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771

Press/Media Coverage

bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available