Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks

Post-Exploitation Analysis

Our analysis reveals that threat actors are leveraging the initial compromise for comprehensive enterprise reconnaissance and data theft. The systematic approach to Active Directory enumeration and cross-server lateral movement indicates these are not opportunistic attacks, but rather targeted operations with specific objectives. The use of password-protected RAR archives with date-filtered log collection (-ta2025-07-01) suggests interest in recent activities or specific timeframes. The deployment of debug_dev.js represents an evolution in attack sophistication, as this file aggregates all web.config files across the SharePoint farm, providing attackers with a comprehensive map of the enterprise’s web infrastructure, including connection strings, service accounts, and internal URLs.

Summary

This sophisticated attack chain demonstrates a fundamental shift in how threat actors are targeting enterprise infrastructure. The complete bypass of SharePoint authentication, combined with cryptographic key extraction, transforms what should be a protected internal system into an open gateway for attackers. The observed post-exploitation activities reveal a methodical approach that goes far beyond simple web shell deployment – attackers are harvesting enterprise-wide configurations, mapping Active Directory structures, and establishing multiple persistence mechanisms across SharePoint farm servers.

The active exploitation of CVE-2025-53770 and CVE-2025-53771 illustrates the evolving nature of threat activity targeting on-premise Microsoft SharePoint environments. Organizations must proactively apply available patches, enhance monitoring, and ensure layered security controls are in place to effectively defend against these advancing threats.

We strongly recommend applying the latest security updates from Microsoft for on-premise SharePoint servers (note that Office 365 and Online servers are not affected), monitoring for the presence of unauthorized ASPX files in the LAYOUTS directory, auditing configuration files for suspicious changes, and inspecting server logs for anomalous access patterns—particularly those involving the ToolPane.aspx endpoint and ViewState activity. Furthermore, while no post-exploitation activity has been observed at this time, we still suggest rotating any potentially affected keys as a precaution, since exploitation, if it occurred, may have exposed them.

TippingPoint customers have benefited from proactive and multi-layered protection against these vulnerabilities since the initial disclosure via the Pwn2Own program in May of 2025.  

Specific details on more protection rules and filters for Trend customers are available in the corresponding knowledge base entry.

Trend Vision One™ Threat Intelligence

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors. 

Trend Vision One Threat Insights App

Emerging Threats:  CVE-2025-53770 – Microsoft SharePoint Vulnerability Explotation In The Wild

Hunting Queries

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

CVE-2025-53770: Dropping of Malicious ASPX file using PowerShell

eventSubId: 901 AND objectRawDataStr: “TEMPLATE\LAYOUTS\spinstall0.aspx”

More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled.