Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in “ToolShell” attacks.
In May, during the Berlin Pwn2Own hacking contest, researchers exploited a zero-day vulnerability chain called “ToolShell,” which enabled them to achieve remote code execution in Microsoft SharePoint.
These flaws were fixed as part of the July Patch Tuesday updates; However, threat actors were able to discover two zero-day vulnerabilities that bypassed Microsoft’s patches for the previous flaws.
Using these flaws, the threat actors have been conducting ToolShell attacks on SharePoint servers worldwide, impacting over 54 organizations so far.
Emergency updates released
Microsoft has now rushed out emergency out-of-band security updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 that fix both the CVE-2025-53770 and CVE-2025-53771 flaws.
Microsoft is still working on the SharePoints 2016 patches and they are not yet available.
“Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706,” reads a note in Microsoft advisories.
Microsoft SharePoint admins should install the following security updates immediately, depending on the version:
- The KB5002754 update for Microsoft SharePoint Server 2019.
- The KB5002768 update for Microsoft SharePoint Subscription Edition.
- The update for Microsoft SharePoint Enterprise Server 2016 has not been released yet.
After installing the updates, Microsoft urges admins to rotate the SharePoint machine keys using the following steps:
SharePoint admins can rotate machine keys using one of the two methods below:
Manually via PowerShell
To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet.
Manually via Central Admin
Trigger the Machine Key Rotation timer job by performing the following steps:
- Navigate to the Central Administration site.
- Go to Monitoring -> Review job definition.
- Search for Machine Key Rotation Job and select Run Now.
- After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
It is also advised to analyze your logs and file system for the presence of malicious files or attempts at exploitation.
This includes:
- Creation of C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx file.
- IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx and a HTTP referer of _layouts/SignOut.aspx.
Microsoft has shared the following Microsoft 365 Defender query to check if the spinstall0.aspx file was created on your server.
eviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
If the file exists, then a full investigation should be conducted on the breached server and your network to ensure the threat actors did not spread to other devices.
CISOs know that getting board buy-in starts with a clear, strategic view of how cloud security drives business value.
This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms. Turn security updates into meaningful conversations and faster decision-making in the boardroom.
0 Comments