A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, is under active exploitation in the wild. The vulnerability, with a CVSS score of 9.8, impacts on-premises SharePoint Server 2016, 2019, and Subscription Edition, and allows unauthenticated remote code execution (RCE). Microsoft issued patches as part of its July 2025 Patch Tuesday update, but attackers had already begun exploiting the flaw before a fix was available.
CVE-2025-53770 has been observed in the wild as part of a broader exploit chain, often combined with spoofing or privilege escalation vulnerabilities to deploy web shells, harvest credentials, and maintain persistent access to compromised environments. Attackers—including Linen Typhoon and Violet Typhoon, linked to China—are actively targeting vulnerable organizations, including a US nuclear weapons agency.
Understanding the Vulnerability
CVE-2025-53770 is a deserialization vulnerability in SharePoint that allows attackers to send crafted HTTP POST requests, often to legacy pages such as ToolPane.aspx, to trigger arbitrary code execution on the server. In many cases, attackers pair this flaw with older vulnerabilities such as CVE-2025-49704 and CVE-2025-49706 to bypass authentication and elevate privileges, in an exploit chain named ToolShell.
Once access is gained, attackers often deploy web shells or steal the SharePoint machine key, allowing them to forge authentication tokens and maintain access even after initial entry points are patched.
Due to the high value of SharePoint environments and their frequent exposure to the internet, this vulnerability poses a significant risk to enterprises that have not yet applied the necessary updates.
What We’ve Seen in Our Data
Imperva Threat Research is actively tracking exploitation attempts related to CVE-2025-53770 across our global network. While we continue to monitor the situation, early data shows that attackers are scanning and targeting SharePoint instances at increasing rates.
In just one day, we observed over 60,000 attacks targeting thousands of sites, primarily in the gaming, business, and financial industries.
In total, sites in 34 countries were targeted, although over 50% of attacks targeted US sites.
These numbers are likely to grow. As proof-of-concept exploits become more widely available, threat actors will seek to compromise unpatched systems.
In one example, the payload abuses System[.]DelegateSerializationHolder to hijack execution via a forged delegate. This delegate invokes System[.]Diagnostics[.]Process[.]Start() with a PowerShell command using -EncodedCommand. The PowerShell command runs ipconfig, base64-encodes the output, and sends it to a remote attacker-controlled server (hxxp://146.70.41.178:8000). The entire operation enables remote code execution and data exfiltration simply by deserializing the object, with no user interaction needed.
Imperva Customers Are Protected
Imperva customers are protected against exploitation attempts targeting CVE-2025-53770 and related attack chains.
Our Web Application Firewall (WAF) includes dedicated rules that detect and block malicious deserialization payloads and web shell behavior commonly associated with this vulnerability. Organizations using Imperva’s application security solutions can remain confident that Imperva protects them against known exploit attempts targeting Microsoft SharePoint.
Recommendations
Organizations running on-premises SharePoint servers should take immediate action:
- Apply Microsoft’s July 2025 patches for SharePoint Server 2016, 2019, and Subscription Edition.
- Review access logs for unusual activity targeting legacy pages such as ToolPane.aspx.
- Rotate machine keys and invalidate sessions if you suspect a compromise.
- Ensure WAF protections are up to date and actively monitoring SharePoint endpoints.
As exploitation continues, it is critical for defenders to act quickly and proactively harden systems. Imperva will continue to monitor this vulnerability and update protections as new attack methods emerge.
The post Imperva Customers Protected Against Critical “ToolShell” Zero‑Day in Microsoft SharePoint appeared first on Blog.