CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint by Lucie Cardiet

A global, active campaign named "ToolShell" is exploiting two SharePoint deserialization vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve unauthenticated RCE on on-premises SharePoint 2016/2019/Subscription Edition servers; attackers upload a stealthy webshell (spinstall0.aspx) to extract ValidationKey and DecryptionKey, then forge signed __VIEWSTATE payloads (via ysoserial) to execute commands persistently and move laterally. Researchers report mass scanning, public exploit tooling, more than 9,300 exposed SharePoint servers, and over 85 organizations impacted; the report describes Vectra AI detection and response capabilities for the exploit chain.