Microsoft has issued emergency Sharepoint security updates for two zero-day weaknesses tracking as CVE-2025-537770 and CVE-2025-53771, which have compromised services worldwide in “toolshell” attacks.
In May, during the Berlin PWN2OWN hacking competition, the researchers exploited a zero-day vulnerability chain called “Toolshell”, which enabled them to obtain distant code execution in Microsoft Sharepoint.
These flaws were fixed as part of the July patch Tuesday update; However, the danger actors were able to search for two zero-day weaknesses that bypass the patch of Microsoft for previous flaws.
Using these flaws, the danger actors are conducting toolshell attacks on the Sharepoint server worldwide, affecting more than 54 outfits so far.
Emergency updated issued
Microsoft has now excluded the emergency out-band security updates for Microsoft SharePoint Subscription Edition and Sharepoint 2019 which cures both Cve-2025-53770 And Cve-2025-53771 Lacks of deficiencies.
Microsoft is still working on Sharepoints 2016 patch and they are not yet available.
“Yes, updates for CVE-2025-53770 include stronger security than update for CVE-2025-49704. Update for CVE-2025-53771 includes stronger security in Microsoft Adverse.
Microsoft Sharepoint Admins should install the following security updates immediately based on the version:
- KB5002754 update For Microsoft Sharepoint Server 2019.
- KB5002768 update For Microsoft Sharepoint Membership Edition.
- The update for Microsoft Sharepoint Enterprise Server 2016 has not been released yet.
After installing the update, Microsoft request Praise to rotate the SharePoint machine keys using the following steps:
Sharepoint admins can rotate machine keys using one of the two methods below:
Manually through Powershell
To update the machine keys using Powershell, use update-spmachinekey CMDlet.
Manually through central administrator
Tiger the machine key rotation timer job by performing the following steps:
- Navigate on Central administration site.
- Go Supervision , Review the definition of the job.
- search for Machine key rotation function And select run now.
- After the rotation is completed, Restart IIS On all sharepoint servers using IISRESET.EXE.
It is also advisable to analyze your log and file system for the presence or exploitation efforts of malicious files.
It also includes:
- C: \ Progra ~ 1 \ _ Common ~ 1 \ Micros ~ 1 \ webser \ webser \ 16 \ tamplate \ layout \ spinstall0.ASPX.
- IIS log _layouts/15/toolpane.aspx? Displaymode = edit & a =/toolpane.aspx and _layouts/signout.aspx showing a post request to refer an HTTP.
Microsoft has shared the Spinstall0.aspx file on your server to check the following Microsoft 365 defender Query.
eviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
If the file is present, a thorough investigation should be done on the dissolved server and your network to ensure that the danger actors are not spread to other equipment.
Include emerging hazards in real time – before they affect your business.
Learn how cloud detection and response (CDR) gives security teams the required edge in this practical, no-nonsense guide.
