Skip to main content
Mallory
Back to vulnerabilities
Medium

Microsoft SharePoint ToolShell path traversal spoofing vulnerability

IdentifiersCVE-2025-53771CWE-22

CVE-2025-53771 is a Microsoft SharePoint Server vulnerability affecting on-premises deployments and described by Microsoft as an improper authentication/spoofing issue. Multiple supporting sources characterize it more specifically as a path traversal vulnerability and a security-bypass variant of CVE-2025-49706 within the broader "ToolShell" exploit chain. In practice, it is used as a patch bypass for the previously disclosed SharePoint spoofing/authentication issue and can be chained with CVE-2025-53770, the related deserialization/RCE flaw, against internet-facing SharePoint servers. The vulnerability affects on-premises SharePoint Server rather than SharePoint Online in Microsoft 365, and reporting indicates it was addressed in July 2025 cumulative security updates for supported SharePoint versions.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

By itself, CVE-2025-53771 enables spoofing/security-bypass behavior in SharePoint and facilitates path traversal-style access that can undermine prior protections for CVE-2025-49706. Its operational significance is highest when chained with CVE-2025-53770 as part of ToolShell, where it helps attackers bypass authentication or security controls and reach code-execution paths on vulnerable SharePoint servers. Reporting on ToolShell campaigns links the combined exploitation chain to large-scale compromise of on-premises SharePoint environments, including web-shell deployment, theft of ASP.NET MachineKey material, credential dumping, lateral movement, persistence, and in some cases ransomware deployment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of on-premises SharePoint servers by disconnecting them from the Internet or restricting unauthenticated access through VPN, reverse proxy, or an authentication gateway. Ensure AMSI is enabled and correctly configured in SharePoint, preferably with Full Mode HTTP request body scanning, and deploy Microsoft Defender Antivirus/Defender for Endpoint or equivalent controls to detect and block exploitation and post-exploitation activity. Monitor for ToolShell indicators such as suspicious POST requests to ToolPane endpoints, creation of spinstall0.aspx or related ASPX files under SharePoint LAYOUTS paths, and anomalous child processes spawned by w3wp.exe. Because ToolShell activity involved theft of MachineKeys, defenders should also rotate keys and investigate for compromise if exposure existed before patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's July 2025 comprehensive SharePoint security updates that fully address CVE-2025-53771 and the related ToolShell issues. Supported products called out in the content include SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. SharePoint 2010 and 2013 are reported as unsupported for these fixes and should be migrated to supported versions. After patching, Microsoft guidance in the supplied content also recommends rotating SharePoint ASP.NET machine keys and restarting IIS on all SharePoint servers to invalidate potentially stolen key material and complete remediation steps associated with ToolShell compromise response.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationSharepoint Serverapplication
Microsoft CorporationSharepoint Server 2016application
Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

163 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

163 SOURCESView more in app
help net securityNews
Mar 24, 2026
Attackers are handing off access in 22 seconds, Mandiant finds - Help Net Security

A Microsoft SharePoint Server vulnerability used in combination with CVE-2025-53770 in the ToolShell exploit chain and exploited in the wild.

Read more
cyberscoopNews
Feb 25, 2026
Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks | CyberScoop

A Microsoft SharePoint zero-day vulnerability (not further described in the content) reported as one of the most routinely targeted and exploited-in-the-wild vulnerabilities of 2025.

Read more
dark readingNews
Jan 27, 2026
Microsoft Rushes Emergency Patch for Office Zero-Day

A SharePoint vulnerability referenced as being chained with CVE-2025-53770 in attacks targeting US government agencies and others.

Read more
polyswarmNews
Jan 5, 2026
PolySwarm’s 2025 Year in Review

A zero-day vulnerability in Microsoft SharePoint servers exploited by Chinese APT Linen Typhoon for initial access and espionage.

Read more
+36 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence25

Every observed campaign linking this CVE to a named adversary.

Associated malware17

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity122

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-53771
NVD
nvd.nist.gov/vuln/detail/CVE-2025-53771
MITRE CWE · CWE-22
cwe.mitre.org
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
Press/Media Coverage
bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available