A Critical Escalation from CVE‑2025‑49706
By Aditya Bhatt – Red Team | VAPT
CVE‑2025‑53770 is a critical (CVSS 9.8) zero-auth RCE vulnerability in Microsoft SharePoint now actively exploited in the wild. This isn’t a standalone issue—it’s a variant of CVE‑2025‑49706, which I previously covered. But while CVE‑2025‑49706 required authentication, 53770 doesn’t.
This is unauthenticated code execution, with real-world web shell drops and privilege escalation in active attacks. Patch now.
I previously analyzed CVE‑2025‑49706 – a spoofing vulnerability in SharePoint that allowed token manipulation, web shell uploads, and lateral movement from an authenticated foothold.
CVE‑2025‑53770 builds on the same foundation but skips the login altogether.
-
Type: Unauthenticated Remote Code Execution (RCE)
-
Severity: CVSS 9.8 (Critical)
-
Affected Products:
- SharePoint Server 2016 (unpatched)
- SharePoint Server 2019
- SharePoint Server Subscription Edition
According to Microsoft, this is a variant of CVE‑2025‑49706 and involves improper handling of crafted authentication tokens—combined with malicious __VIEWSTATE payloads—that lead to direct execution in IIS worker processes.
-
Attackers are chaining:
- CVE‑2025‑49704 (deserialization bug)
- CVE‑2025‑49706 (spoofed header + auth bypass)
- CVE‑2025‑53770 (unauth RCE)
-
Dropping:
spinstall0.aspxweb shell- Payloads like
SuspSignoutReq.exe - Persistence tools under
w3wp.exe
- Government and Education sectors
- On-prem SharePoint portals
- Any SharePoint instance exposed to the internet without July patches
- 📥 Malicious request sent to vulnerable endpoint (unauthenticated)
- 🧾 Injected
__VIEWSTATEpayload or forged token bypasses validation - 💣 Code executed inside IIS (
w3wp.exe) under NT AUTHORITY\SYSTEM - 🐚 Web shell uploaded, remote access established
- 🛰️ C2 communication initiated, lateral movement begins
Microsoft released out-of-band security updates on July 20–21, 2025:
- SharePoint 2019 ➝
KB5002741 - SharePoint SE ➝
KB5002755 - SharePoint 2016 is pending — isolate servers ASAP
- Disable external access to SharePoint until patched
- Rotate machine keys / viewstate validation keys
- Enable AMSI + Defender AV with these PowerShell flags:
Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference -EnableScriptScanning $true-
spinstall0.aspx -
SuspSignoutReq.exe -
Large encoded
__VIEWSTATEin POST payloads -
Suspicious process tree:
w3wp.exe→cmd.exe→powershell.exe
DeviceFileEvents
| where FileName contains "spinstall0.aspx" or FolderPath contains "inetpub"
| where ActionType == "FileCreated"| CVE ID | Access Required | Impact | Exploitation |
|---|---|---|---|
| CVE‑2025‑49706 | Authenticated | Spoofing / Shell Drop | Confirmed |
| CVE‑2025‑53770 | Unauthenticated | RCE + SYSTEM Privilege | Active |
Microsoft confirmed 53770 as a variant of 49706, now weaponized into unauthenticated RCE.
This isn't just another CVE drop. CVE‑2025‑53770 is one of the most dangerous SharePoint vulnerabilities in recent memory. It builds on an already-bad spoofing flaw (49706) and eliminates the only barrier—authentication.
If you're running an on-prem SharePoint instance and haven't patched since early July 2025, assume compromise and hunt aggressively.
I'm a cybersecurity practitioner focused on offensive security, exploit analysis, and red team operations. I’ve ranked in the top 2% on TryHackMe and published security tools like KeySentry, ShadowHash, and PixelPhantomX. I hold certifications like CEH, Security+, and the IIT Kanpur Red Team Certificate, and write regularly for InfoSec WriteUps and other security platforms.
🔗 GitHub: @AdityaBhatt3010
✍️ Medium: @adityabhatt3010
💼 LinkedIn: Aditya Bhatt