Editorial coverage · CVE-2025-53770
Patched. KEV-compliant. Still exploitable.
Microsoft's July 8 patch closed one attack vector on SharePoint's ToolPane endpoint. CVE-2025-53770 reached the same endpoint through .NET deserialization six days later. For twelve days, organizations that patched on schedule were exploited on schedule.
What we say
The July 8 patch was on time. It was complete with respect to the bug Microsoft was told about. It was incomplete with respect to the endpoint the bug lived in. Six days later a researcher demonstrated a bypass. Eleven days later Storm-2603 was deploying ransomware through it. The operators who patched fastest were not, in this window, the safest operators. They were exploited at the same rate as everyone else, with the additional cost that their compliance dashboards turned green while it was happening.
CVE-2025-49704 and CVE-2025-53770 reach the same URL, accept the same POST parameter, and bypass authentication through the same Referer spoof. They differ in what they do with the field’s contents. The July patch sanitized one mechanism — code injection through the field — and left a second mechanism — .NET deserialization of the same field — open to the same caller. The July 21 out-of-band update did the structurally correct thing and replaced the deserialization blocklist with an allowlist. The thirteen days between the two patches is the window that matters: it is the window in which “patched” and “protected” diverged for every on-prem SharePoint operator in the world.
The vault-style gap that follows the patch is the part the advisory
does not direct. The first payload through CVE-2025-53770 lifts the
ASP.NET MachineKey values from web.config on the way to dropping a
webshell. Those keys remain valid after the July 21 patch ships and
after the webshell is removed. An attacker with the keys can forge
ViewState blobs against the farm indefinitely; rotating them requires
Update-SPMachineKey and an IIS restart, which is a planned outage
on most change boards. The KB articles describe the patch. They do
not direct rotation. Most patch-management runbooks therefore do not
include it. Three quarters of the on-prem SharePoint fleet that was
internet-reachable in July 2025 is still internet-reachable today,
and an unknown but probably large fraction of those farms have not
rotated their keys.
The compliance dimension is the part that does not fix itself by shipping a better patch next time. BOD 22-01 measures patch application. It cannot measure patch completeness. The July 8 patch closed a CVE; the July 21 patch closed a different CVE on the same endpoint family. Both can pass an audit. The operator-facing version of the question is whether the farm was reachable between July 8 and the date the July 21 update was actually installed (which for a non-trivial number of operators is some weeks later than July 21), and whether MachineKey rotation has been performed since. The auditor’s-version of the same question is whether the control narrative for SharePoint patching accounts for the difference. Most do not.
The narrow lesson is product-specific: the post-patch checklist for
ToolShell is not the patch. It is the patch, the AMSI integration,
the MachineKey rotation, the webshell hunt under _layouts/, and the
IIS log review for the Referer-spoofing pattern. The wider one is
that “fixes the reported PoC” is the floor, not the ceiling. An
endpoint that processes attacker-controlled input through a
deserialization pipeline can be patched against one gadget chain and
remain exposed to the next, on the same parameter, on the same URL,
without anyone in the patch-notes chain noticing.
What NVD says
CWE-502 — deserialization of untrusted data. CVSS 3.1 base 9.8, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Remote unauthenticated code execution against on-premises Microsoft SharePoint Server 2016, 2019, and Subscription Edition via a crafted serialized object in the `MSOTlPn_Selected` POST parameter on `/_layouts/15/ToolPane.aspx`. NVD names the deserialization mechanism and the endpoint correctly. It does not carry the timeline against CVE-2025-49704 (the July 8 patch this bypassed) or the post-patch MachineKey rotation step that closes the chain permanently.
What the vendor says
Microsoft shipped MS25-July patches for CVE-2025-49704 on July 8, 2025. On July 19, after Code White GmbH reproduced a bypass and Storm-2603 began deploying Warlock ransomware through the same endpoint, Microsoft published out-of-band patches KB5002768 (SharePoint Subscription Edition), KB5002754 (2019), and KB5002760 (2016) addressing CVE-2025-53770. The July 21 advisory replaces the deserialization blocklist with a restrictive allowlist — the architecturally correct fix. The advisory directs operators to apply the patch and enable AMSI integration. It does not direct operators to rotate the ASP.NET MachineKey values an attacker could have exfiltrated during the exposure window, even though those keys remain valid for ViewState forgery after patching.
Compliance impact
- FEDRAMP
- FedRAMP-authorized SharePoint environments and federal agencies under CISA BOD 22-01 carry separate remediation clocks for CVE-2025-49704 (added to KEV July 17, original Patch Tuesday window) and CVE-2025-53770 (added to KEV July 20 with a 24-hour deadline). The compliance question that BOD 22-01 cannot answer: between July 8 and July 21, a system marked compliant against the first KEV entry was reachable via the second. The audit trail says you patched on time. The system was still exploitable.
- SOX
- SharePoint document libraries that store SOX-relevant control evidence — change-management approvals, access-review attestations, vendor SOC reports — are in scope when the host was reachable during the exposure window. Webshells deployed through ToolShell ran as `IUSR` or the application-pool identity and could read or modify any document the SharePoint farm could read. Section 404 ITGC reviews need a control-effectiveness assessment for any tenant exposed between July 8 and the actual patch date, not the original-patch date.
- HIPAA
- Covered entities running SharePoint as a document store for ePHI face Breach Notification Rule four-factor analysis if the farm was internet-reachable during the window. 'We patched on Patch Tuesday' does not close the assessment — the analysis has to address what the application-pool identity could have read between July 8 and July 21, and whether MachineKey rotation has been completed since.
Sources
- NVD — CVE-2025-53770
- CISA Alert — Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities
- Microsoft Security Blog — Disrupting Active Exploitation of On-Premises SharePoint Vulnerabilities
- Unit 42 — Microsoft SharePoint CVE-2025-49704, CVE-2025-49706, CVE-2025-53770
- Rapid7 ETR — Zero-Day Exploitation of Microsoft SharePoint Servers CVE-2025-53770
- Code White GmbH — SharePoint ToolPane Bypass Reproduction
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.