Update on the SharePoint ToolShell vulnerability exploitation (CVE-2025-53770)
ID: a43a3e9c-ddd2-57d2-b557-c1bd24f86cf5
STIX ID: report--a43a3e9c-ddd2-57d2-b557-c1bd24f86cf5
Feed Name: Expel Blog
Date Published: 2025-07-22
Date Updated: 2026-04-27
Author: Matt Jastram; Brandon Overstreet; Ben Nahorney; Aaron Walton
**TL;DR:** A zero-day SharePoint RCE (CVE-2025-53770) was actively exploited against on-prem SharePoint 16.0.0.0 and earlier, enabling unauthenticated code execution that can bypass SSO/MFA; SOC analysts observed exploitation attempts and related malware activity (including a detectable 'SuspSignoutReq' implant) and recommend immediate patching, AMSI/Defender deployment, and log/IOC hunting for aspx webwrites and specific request patterns.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.