Blog Authors:

Austin Larsen, Principal Threat Analyst, Google Threat Intelligence Group 

Timothy Peacock, Sr Product Manager, Google Cloud Security

UPDATED 25 July 2025 16:00

If you are a Mandiant Security Validation customer, you can demonstrate the behavior of CVE-2025-53770 by leveraging content pack VHR20250724.

UPDATED 23 July 2025 21:30

If you are a SecOps Standard customer, or a Legacy Chronicle SIEM customer, you can leverage the same rules by downloading them from our community Github repository.

23 July 2025 10:34 

Google's Threat Intelligence Group (GTIG) is tracking widespread, active exploitation of a set of related vulnerabilities in on-premises Microsoft SharePoint servers. The vulnerabilities include CVE-2025-53770 and CVE-2025-53771, which are variants or bypasses of previously disclosed flaws (CVE-2025-49704, CVE-2025-49706). GTIG is aware of multiple threat actors exploiting these vulnerabilities in the wild. Mandiant Consulting is actively engaged with organizations helping them investigate and respond to related compromises. 

The attack leverages a chain of vulnerabilities, including path traversal and deserialization flaws, to achieve unauthenticated remote code execution. The typical exploit chain involves sending a crafted POST request to a SharePoint endpoint (ToolPane.aspx) to bypass security controls and write a malicious webshell to disk. This webshell is then used to exfiltrate critical cryptographic material from the server including the ASP.NET MachineKey. Possession of the ValidationKey and DecryptionKey components of the MachineKey allows an attacker to manually generate and sign valid __VIEWSTATE data, enabling them to execute arbitrary code and maintain persistent access that bypasses standard authentication. 

This access method will survive future patching if the keys are not explicitly rotated.

Given the severity of this threat, we are providing the following guidance to all organizations running on-prem SharePoint. Read Microsoft’s blog post for additional information.

For Google Security Operations Enterprise and Enterprise+ customers, relevant product threat detections and content updates are available to help expedite identifying and addressing the threats outlined below. These detections have been automatically delivered to Google Security Operations tenants as part of the Mandiant Frontline Threats curated detections ruleset. Mandiant Security Validation customers also have access to an updated content pack with relevant actions.

Recommendations for SharePoint Administrators

It's critical that organizations take immediate action to secure their servers.

1. Patch Immediately: On July 22, 2025, Microsoft released comprehensive security updates for all supported versions of SharePoint Server (2016, 2019, and Subscription Edition). Applying these patches should be your first priority.

2. Hunt for Compromise: Actively search for signs of exploitation. This includes looking for unexpected .aspx or .js files (like spinstall0.aspx or debug_dev.js) in SharePoint web directories and reviewing IIS server logs for suspicious POST requests to ToolPane.aspx followed by requests to a newly created file.

3. Remediate and Rotate Keys: If you find any evidence of compromise, patching alone is not enough. You must isolate the server and, most importantly, rotate the SharePoint MachineKey. Stolen keys allow attackers to maintain access even to a patched server, so this step is essential to fully evict an attacker.

4. Consider Proactive Rotation: Out of an abundance of caution, we recommend that organizations with internet-exposed SharePoint servers consider rotating their MachineKey even if no clear signs of compromise are found.

Google Cloud Security Protections for Active Exploitation of SharePoint Vulnerabilities

Google Security Operations Enterprise and Enterprise+ customers can leverage the following product threat detections and content updates to help identify and remediate threats. All detections have been automatically delivered to Google Security Operations tenants within the Mandiant Frontline Threats curated detections ruleset. We will continue to monitor the threat as it evolves, as of 22:00 - 22 July 2025 (UTC) - we have the following detections deployed in the Frontline Threats rulepack:

• SharePoint CVE-2025-49706 Exploitation
• Attempted SharePoint Webshell Creation CVE-2025-53770
• Successful SharePoint Webshell Creation CVE-2025-53770
• Suspicious Filewrites To SharePoint Layouts
• W3WP Launching Encoded Powershell
• Potential SharPyShell Webshell Execution

To leverage these updated rules, access Content Hub and search on any of the strings above, then View and Manage each rule you wish to implement or modify. Mandiant Threat Defense customers have these rules automatically enabled by default. If you are a SecOps Standard customer, or a Legacy Chronicle SIEM customer, you can leverage the same rules by downloading them from our community Github repository.

Google Threat Intelligence customers have access to detailed vulnerability, campaign, and other comprehensive reporting available via their subscriptions to the service. Relevant links include:

• Overall summary reporting on exploited SharePoint vulnerabilities
• Campaign details including affected industries, regions, and associated actors
• Vulnerability details for CVE-2025-53770

Mandiant Security Validation customers have access to a new action to demonstrate CVE-2025-53770 as of July 24, 2025. This action was delivered in content pack VHR20250724 and details about this release can be found here.

If you believe your systems may be compromised or you have related matters to discuss, contact Mandiant for incident response assistance via the following methods:

• Web Form
• US: +1 (844) 613-7588
• International: +1 (703) 996-3012
• Email: investigations@mandiant.com