Microsoft has disclosed two actively exploited zero-day vulnerabilities in on-premises SharePoint Server—CVE-2025-53770 (RCE via unsafe deserialization) and CVE-2025-53771 (authentication bypass via Referer header spoofing). These flaws form a chained exploit known as ToolShell, which enables attackers to gain unauthenticated remote code execution by first spoofing legitimate requests and then deserializing malicious payloads. Despite previous patches for related bugs in July 2025, threat actors found novel bypasses and began exploiting them in the wild as early as July 18, prompting Microsoft to issue emergency patches.
The exploit chain begins with a spoofed POST request to the SharePoint ToolPane endpoint, bypassing authentication. The attacker then submits a serialized payload that SharePoint deserializes without validation, resulting in the deployment of an ASPX web shell (spinstall0.aspx
). This shell is later used to extract machineKeys, enabling the attacker to sign malicious ViewState payloads and execute arbitrary code. Tools such as ysoserial were used to generate these payloads. The attack was first demonstrated by researchers in May 2025 and weaponized in the wild following patch bypasses in mid-July. Only self-managed, on-prem SharePoint instances are affected.