How to detect and respond to the SharePoint ToolShell RCE (CVE-2025-53770)

Jul 21, 20255 minutes

Axonius

Last update: 3:00 PM CT, July 23, 2025

TL;DR: This post provides steps to identify and address on-premises SharePoint Servers affected by CVE-2025-53770.

Summary

On July 19, 2025, Microsoft released information about a critical remote code execution (RCE) vulnerability affecting Microsoft SharePoint Servers on-premises (CVE-2025-53770). This vulnerability allows an unauthenticated attacker to execute code remotely due to the deserialization of untrusted data.

Microsoft has confirmed that this vulnerability is being actively exploited in the wild. The exploit has been publicly referred to as "ToolShell" and grants attackers full access to the SharePoint server's content and the ability to execute code over the network. This vulnerability has a CVSS 3.1 base score of 9.8 (Critical).

Impacted systems

For updates, visit the Microsoft Customer Guidance

Vulnerable products

NOT impacted

According to Microsoft, the following SharePoint Servers are affected:

On-premises servers.

Versions:

- Microsoft SharePoint Enterprise Server 2016

- Microsoft SharePoint Server 2019

- Microsoft SharePoint Server Subscription Edition

Note: Microsoft has not provided confirmation or tracking regarding whether unsupported SharePoint versions (such as SharePoint 2013 or earlier) are also impacted by CVE-2025-53770.

According to Microsoft, “SharePoint Online in Microsoft 365 is not impacted.”

How to identify affected systems with Axonius

Before you begin, it's highly recommended to run a full discovery to ensure you're working with the most current data from your environment.

1. Identify vulnerable SharePoint Servers(versions 2016, 2019, or Subscription Edition) detected by your vulnerability scanners

This vulnerability query identifies servers already with CVE-2025-53770 as flagged by your vulnerability scanners:

{"vulnerabilities":"(\"specific_data.data.cve_id\" == \"CVE-2025-53770\")","devices":""}

2. Identify vulnerable SharePoint Servers(versions 2016, 2019, or Subscription Edition) not yet detected by your vulnerability scanners

To reduce the mean time to detection (MTTD) or deployment gaps from vulnerability scanners, use this software asset query to get all SharePoint on-premise servers confirmed as vulnerable by Microsoft:

{"software":"(\"contains.[specific_data.data.installed_software.name]\" in [\"Microsoft SharePoint Server\",\"SharePoint Server\"]) and (\"specific_data.data.installed_software.version\" == regex(\"^16\", \"i\"))","devices":""}

3. Identify SharePoint Servers already updated

This software asset query identifies SharePoint Servers already updated to address the CVE-2025-53770:

Important note: Besides patching SharePoint, Microsoft also requests customers to rotate their SharePoint Server ASP.NET machine keys and restart IIS after applying the update. (Instructions on Microsoft customer guidance, section: how to protect your environment)

4. Identify SharePoint Servers out of date & support (and that may be at risk)

This software asset query identifies SharePoint on-premise servers running in previous versions (2007, 2010, and 2013). As of Jul-21, Microsoft doesn't confirm these versions as vulnerable, but urges customers to update their deployments to a supported version:

{"software":"(\"contains.[specific_data.data.installed_software.name]\" in [\"Microsoft SharePoint Server\",\"SharePoint Server\"]) and not (\"specific_data.data.installed_software.version\" == regex(\"^16\", \"i\"))","devices":""}

Your SharePoint version is determined by the software number as follows (source: endoflife.date):

SharePoint Version	Version Number
SharePoint 2007 (MOSS 2007)	12.0.xxxx.xxxx
SharePoint 2010	14.0.xxxx.xxxx
SharePoint 2013	15.0.xxxx.xxxx
SharePoint 2016/2019/SE	16.0.xxxx.xxxx

Mitigation and remediation steps

For updates, visit the Microsoft Customer Guidance.

Microsoft has released security updates and provided mitigation guidance.

Remediation

Apply the latest security updates (Available from Microsoft Customer Guidance):

SharePoint Server Subscription Edition: KB5002768
SharePoint Server 2019: KB5002754
Sharepoint Server 2016: KB5002760

Rotate SharePoint Server ASP.NET machine keys. After applying updates or enabling AMSI, it is critical to rotate the machine keys. This can be done via PowerShell (Update-SPMachineKey) or through the Central Administration site (instructions on Microsoft customer guidance, section: how to protect your environment)
Restart IIS on all SharePoint servers after the key rotation.

Mitigation

For customers who cannot immediately apply the updates, Microsoft strongly recommends the following mitigation:

Enable Antimalware Scan Interface (AMSI) integration and ensure an antivirus solution like Microsoft Defender is active on all SharePoint servers. This can protect against unauthenticated attacks.
If you can't enable AMSI, disconnect the SharePoint server from the internet until you can apply the security update.

Learn more

External resources

Microsoft security update guide for CVE-2025-53770:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
Microsoft Security Response Center (MSRC) blog:Customer guidance for SharePoint vulnerability CVE-2025-53770
CISA alert:Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)
NVD:CVE-2025-53770
Microsoft SharePoint versions (end of life): https://endoflife.date/sharepoint
Deserialization of untrusted data:CWE-502

Axonius resources

Creating queries using the Query Wizard: https://docs.axonius.com/docs/creating-queries-using-the-query-wizard
Enforcement Center overview:https://docs.axonius.com/docs/enforcement-center-overview

If you're not an Axonius customer and want to know more about how we can help you, schedule a meeting with a security specialist.