ShareAll Vulnerability (CVE-2025-53770): Critical Remote Code Execution in Microsoft SharePoint

Overview

The ShareAll vulnerability (CVE-2025-53770) is a critical, actively exploited remote code execution (RCE) flaw affecting on-premises Microsoft SharePoint Server 2016, 2019, and Subscription Edition. This vulnerability allows unauthenticated attackers to gain full control over vulnerable SharePoint environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have confirmed widespread exploitation impacting organizations globally since July 2025.

Technical Details

• Vulnerability type: Deserialization of untrusted data leading to unauthenticated RCE.
• Attack vector: Specially crafted HTTP POST requests are sent to the legacy endpoint /layouts/15/ToolPane.aspx?DisplayMode=Edit, using a forged Referer header (/_layouts/SignOut.aspx).
• Authentication bypass: The crafted request bypasses SharePoint’s authentication and form digest validation, allowing malicious access without credentials.
• Malicious payload deployment: Attackers upload a weaponized ASPX file (e.g., spinstall0.aspx) into SharePoint’s layouts directory. This file extracts cryptographic secrets—notably the ASP.NET ValidationKey and DecryptionKey—from SharePoint’s configuration.
• Privilege escalation: With these secrets, adversaries generate legitimate, signed __VIEWSTATE payloads to remotely execute code, gain persistent access, and further compromise the SharePoint environment, all usually under the system-assigned identity NT AUTHORITY\IUSR.
• Impact: Full compromise, including stealing sensitive SharePoint data, installing backdoors, and moving laterally within internal networks.
• CVSS score: 9.8 (Critical)

Relation to Earlier Vulnerabilities

CVE-2025-53770 is a variant and patch bypass of previous SharePoint vulnerabilities (CVE-2025-49704 and CVE-2025-49706) discovered at Pwn2Own Berlin. Initial patches for these earlier flaws were insufficient; attackers adapted by discovering new ways to exploit SharePoint’s workflow validation logic and data deserialization mechanisms.

Mitigation and Detection

Microsoft and CISA have released emergency patches for all supported SharePoint Server versions. Organizations must:

• Apply Microsoft’s security updates for CVE-2025-53770 and CVE-2025-53771 immediately
• Enable and configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus to block unauthenticated exploitation attempts
• Rotate SharePoint server ASP.NET machine keys (ValidationKey, DecryptionKey, Signing algorithm) and restart IIS after patching to ensure attackers cannot reuse cryptographic secrets
• If patching or AMSI is not possible, disconnect internet-facing instances or restrict access via VPN or proxies that require strong authentication.
• Deploy endpoint detection and response (EDR) solutions to catch post-exploitation activity.
• Monitor for suspicious requests to /ToolPane.aspx with unusual headers and activity involving uploads of unknown ASPX files to the layouts directory.

Conclusion

The ShareAll (CVE-2025-53770) vulnerability represents one of the most serious SharePoint security threats in recent years. Its ease of exploitation, unauthenticated attack path, and potential for persistent, deep access require immediate attention and action from all organizations operating on-premises SharePoint environments. Swift patching, configuration of AMSI, prompt machine key rotation, and reinforced detection measures are essential to defend against this severe threat.