> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Microsoft SharePoint is a widely used enterprise collaboration and content management platform. In July 2025, Microsoft released a critical security advisory fixing two high-impact vulnerabilities:
- CVE-2025-53770: Remote Code Execution (RCE)
- CVE-2025-53771: Path Traversal
Among them, CVE-2025-53770 poses a significant risk. Exploitation is straightforward and requires no authentication. If left unpatched, attackers can take full control of vulnerable SharePoint servers.
What’s the Vulnerability?
The issue stems from how SharePoint handles ASP.NET ViewState. Here’s a high-level overview of the attack flow:
- The attacker uploads a malicious
.aspxfile. - That file is used to extract the ValidationKey and DecryptionKey from the server.
- Using the stolen keys, the attacker crafts a valid
__VIEWSTATEpayload. - The ViewState is then deserialized, leading to unauthenticated remote code execution via .NET gadget chains.
Impact
- Remote command execution on the server
- Full server takeover
- Data breach or complete compromise of business systems
Risk Overview
| Category | Detail |
|---|---|
| CVSS Score | High (Critical) |
| Attack Vector | Remote over network |
| Authentication | Not required |
| User Interaction | Not required |
| Affected Configs | Default settings |
| Exploitation | POC/EXP publicly available |
| Fix Complexity | Low (patch available) |
Affected Versions
- SharePoint Server 2016
- SharePoint Server 2019 < Patch KB5002754
- SharePoint Subscription Edition < Patch KB5002768
How to Fix It
1. Apply Official Security Patches
- SharePoint 2019: Install KB5002754
- SharePoint Subscription Edition: Install KB5002768
2. Rotate ASP.NET Machine Keys
Run the following in PowerShell:
Update-SPMachineKey
Or use Central Administration → Machine Key Rotation.
3. Restart IIS
After rotating machine keys, run:
iisreset.exe
...on all SharePoint servers to apply changes.
👉 Official Microsoft Advisory: Read here
Temporary Mitigation
If patching isn't immediately possible:
- Enable AMSI Protection: Ensure Antimalware Scan Interface (AMSI) is enabled and set to Full Mode. This blocks unauthenticated ViewState-based attacks.
- Isolate Vulnerable Servers: For unpatched or AMSI-incompatible versions (e.g., SharePoint 2016), disconnect affected servers from the internet until fixed.
Timeline
- July 2025: Microsoft publicly discloses CVE-2025-53770
- July 21, 2025: Chaitin Tech's SafeLine Emergency Response Center issues advisory
Final Thoughts
This is a high-risk RCE that requires no login and little effort to exploit. Organizations running vulnerable versions of SharePoint should patch immediately or take mitigation steps to prevent real-world attacks.
Top comments (0)