Microsoft has released emergency security updates for two SharePoint zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which have been exploited in “ToolShell” attacks globally.
In May, during the Pwn2Own hacking contest held in Berlin, researchers successfully leveraged a zero-day vulnerability chain, identified as “ToolShell,” to achieve remote code execution within Microsoft SharePoint environments. These initial vulnerabilities were subsequently addressed by Microsoft through their July Patch Tuesday updates. However, threat actors were able to identify two new zero-day vulnerabilities that effectively bypassed the protections implemented in those July patches. These newly discovered flaws have since been utilized to conduct “ToolShell” attacks against SharePoint servers worldwide, impacting more than 54 organizations.
Microsoft has issued emergency out-of-band security updates to mitigate these critical vulnerabilities. These updates specifically target Microsoft SharePoint Subscription Edition and SharePoint 2019, providing fixes for both CVE-2025-53770 and CVE-2025-53771. Microsoft has stated that the update for CVE-2025-53770 offers “more robust protections than the update for CVE-2025-49704,” and similarly, the update for CVE-2025-53771 provides “more robust protections than the update for CVE-2025-49706.” Development of patches for SharePoint 2016 remains ongoing and these updates are not yet available.
Microsoft banned China-based engineers from Department of Defense work
SharePoint administrators are advised to install the relevant security updates immediately based on their specific SharePoint version. For Microsoft SharePoint Server 2019, the recommended update is KB5002754. For Microsoft SharePoint Subscription Edition, administrators should install KB5002768. The update for Microsoft SharePoint Enterprise Server 2016 has not been released at this time.
Following the installation of these updates, Microsoft strongly recommends that administrators rotate their SharePoint machine keys. This can be accomplished through two methods. The first method involves manually using PowerShell, specifically by executing the `Update-SPMachineKey` cmdlet. The second method is to manually trigger the Machine Key Rotation timer job via Central Administration. This process involves navigating to the Central Administration site, then to “Monitoring,” and subsequently to “Review job definition.” Administrators should then search for “Machine Key Rotation Job” and select “Run Now.” After the rotation process is complete, IIS must be restarted on all SharePoint servers using `iisreset.exe`.
Administrators are also advised to analyze logs and file systems for any indicators of malicious files or exploitation attempts. Specific indicators include the creation of the file `C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx`. Additionally, administrators should review IIS logs for POST requests directed to `_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with an HTTP referer of `_layouts/SignOut.aspx`. Microsoft has provided a Microsoft 365 Defender query to detect the creation of the `spinstall0.aspx` file:
- `DeviceFileEvents`
- `| where FolderPath has “MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS”`
- `| where FileName =~ “spinstall0.aspx” or FileName has “spinstall0″`
- `| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256`
- `| order by Timestamp desc`
If the `spinstall0.aspx` file is detected, a comprehensive investigation of the compromised server and the broader network is recommended to ascertain whether threat actors have expanded their access to other devices.
