Microsoft has issued urgent security patches for two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, affecting Microsoft SharePoint. These flaws have been actively exploited in “ToolShell” attacks globally, impacting over 54 organizations.
The vulnerabilities emerged after threat actors bypassed fixes released in the July Patch Tuesday updates. These initial updates were intended to address a “ToolShell” zero-day vulnerability chain that allowed remote code execution in Microsoft SharePoint, first demonstrated at the Pwn2Own contest in Berlin in May.
Microsoft has quickly released out-of-band security updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 to mitigate CVE-2025-53770 and CVE-2025-53771. The company confirmed that these new updates offer “more robust protections” compared to the previous fixes for CVE-2025-49704 and CVE-2025-49706, respectively. An update for Microsoft SharePoint Enterprise Server 2016 is still pending.
SharePoint administrators are strongly advised to install these critical updates immediately: KB5002754 for Microsoft SharePoint Server 2019 and KB5002768 for Microsoft SharePoint Subscription Edition.
Beyond applying the patches, Microsoft urges administrators to rotate their SharePoint machine keys. This can be done either manually via PowerShell using the Update-SPMachineKey cmdlet or through Central Admin by triggering the “Machine Key Rotation Job” timer job. After rotation, an IIS reset (iisreset.exe) on all SharePoint servers is recommended.
Admins should also conduct a thorough analysis of their logs and file systems for signs of compromise or exploitation attempts. Key indicators include the creation of the file C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx, and IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with an HTTP referrer of _layouts/SignOut.aspx.
Microsoft has provided a Microsoft 365 Defender query to help detect the presence of the spinstall0.aspx file:
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
If this file is found, a comprehensive investigation of the affected server and network is crucial to ensure that threat actors have not expanded their access to other devices.
