SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs. CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
Sigma rule (View on GitHub)
1title: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
2id: 48d053db-6a56-4866-b60d-0975647050ed
3status: experimental
4description: |
5 Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
6 CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
7references:
8 - https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
9 - https://research.eye.security/sharepoint-under-siege/
10 - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-07-21
13tags:
14 - attack.initial-access
15 - attack.t1190
16 - cve.2025-53770
17 - detection.emerging-threats
18logsource:
19 category: webserver # IIS web server logs
20detection:
21 selection_exploit_post:
22 cs-method: 'POST'
23 cs-uri-stem|contains: '/_layouts/15/ToolPane.aspx'
24 cs-uri-query|contains: 'DisplayMode=Edit&a=/ToolPane.aspx'
25 selection_exploit_get:
26 cs-method: 'GET'
27 cs-uri-stem|contains: '/_layouts/15/spinstall0.aspx'
28 selection_referer:
29 cs-referer|contains: '/_layouts/SignOut.aspx'
30 condition: 1 of selection_exploit_* and selection_referer
31falsepositives:
32 - Unknown
33level: medium
References
-
Seeing #SharePoint CVE‑2025‑53770 related traffic this morning: CrowdStrike telemetry across several tenants shows HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit followed by a GET to /_layouts/15/spinstall0.aspx, all from 104[.]238[.]159[.]149 (earlier exploitation attempts used 107[.]191[.]58[.]76) with the same Firefox user‑agent and a /_layouts/SignOut.aspx referer. If you run on‑prem SharePoint, do a quick reality check. Comb through your IIS logs for the current ToolShell indicators. At the same time, hunt for unexpected ASPX files. If you see a hit, don’t wait for Microsoft’s patch, isolate the server, rotate credentials and MachineKey secrets, and escalate the event so no follow‑up RCE attempts slip through. #IncidentResponse #WindowsSecurity #CyberSecurity #DFIR #ThreatHunting #ThreatIntel | 11 comments on LinkedIn
Read More -
On the evening of July 18, 2025, Eye Security was the first in identifying large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain in the wild. Read how we found it & what we did afterwards.
Read More -
Related rules
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
- Potential SAP NetViewer Webshell Command Execution
- Arcadyan Router Exploitations
- Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21