CrowdStrike Detects and Blocks Initial SharePoint Zero-Day Exploitation

Beginning on July 18, 2025, at approximately 0700 UTC, CrowdStrike Falcon® Complete Next-Gen MDR and CrowdStrike Falcon® Adversary OverWatch™ identified a wave of Microsoft SharePoint exploitation attempts by an unknown adversary. Two distinct zero-day vulnerabilities were made publicly available: a critical remote code execution vulnerability (CVE-2025-53770) and a server spoofing vulnerability (CVE-2025-53771). The chaining of these vulnerabilities to exploit a vulnerable SharePoint server is being referred to as “ToolShell.” 

Since the start of this exploitation, CrowdStrike has observed and successfully blocked hundreds of exploitation attempts across 160+ customer environments, demonstrating both the scale of this threat and the effectiveness of our protection capabilities. 

The CrowdStrike Falcon® platform detects and protects against exploitation of the Microsoft SharePoint zero-days, blocking known behaviors associated with these vulnerabilities. This blog post provides context surrounding this emerging threat, as well as guidance for customers on how they can use the Falcon platform to protect their environments. Customers of CrowdStrike Falcon® Adversary Intelligence Premium can find more detailed analysis in Intel report CSA-250846.

Observed Exploitation of SharePoint Vulnerability

CrowdStrike has observed widespread exploitation of CVE-2025-53770 involving a deserialisation attack leading to attempts to write a malicious .aspx webshell on the host. That file, spinstall0.aspx, is used to steal IIS Machine Keys, which can later be used for other post-exploitation attacks.

This attack begins with a specially crafted POST request to an accessible SharePoint server. The POST request payload will attempt to write the .aspx file via PowerShell. That malicious PowerShell command, spawned from the SharePoint IIS process, is blocked by the Falcon platform. 

We have tracked the size and speed of attempted payload delivery over time by mapping detections from the Falcon platform. The following timeline of activity has been observed:

• July 18 (morning UTC): A small number of SharePoint servers were attacked
• July 18 (1330-1845 UTC): Shortly after, likely following the publicity of the zero-day, the campaign ramped up significantly with 177 servers attacked on the same day
• July 19 (0600-0800 UTC): Exploitation recommenced briefly before temporarily ceasing
• July 21 (0740 UTC): Activity resumes with 32 servers attacked in four hours up to 1130 UTC

Defending Against This Threat

Organizations are strongly encouraged to apply patches that have been released to ensure they are protected. Microsoft has published customer guidance and released patches for Microsoft SharePoint Server 2019 Core, Microsoft SharePoint Server Subscription Edition, and Microsoft SharePoint Enterprise Server 2016.

CrowdStrike Falcon Endpoint Detection and Response

As mentioned in our opening analysis, this attack relies on specially crafted POST requests to exploit the SharePoint zero-day vulnerabilities. CrowdStrike Falcon® Insight XDR endpoint security successfully detected and blocked these attacks through advanced behavioral analysis rather than relying on signature-based detections.

The attack chain exploits SharePoint servers by executing malicious code to extract authentication keys, enabling attackers to send authenticated system-level commands. Falcon Insight XDR’s behavioral engine identified suspicious activity when SharePoint processes began launching command prompts and PowerShell scripts — a clear deviation from normal SharePoint operations.

Our multi-layered approach detected:

• Abnormal process behavior: Suspicious process chains originating from SharePoint services, including webshells and reconnaissance
• Network anomalies: Questionable DNS requests that generated alerts in the Falcon console
• Behavioral correlation: Multiple indicators confirming malicious intent

Threat actors continuously adapt their techniques based on security vendor responses. CrowdStrike's threat research team proactively enhances our detection capabilities in response. We are deploying additional behavioral detections this week that focus on post-exploitation activities and alternative attack vectors, providing continued coverage as attack methods evolve.

CrowdStrike Falcon Exposure Management

Customers can find CVE-2025-53770 and CVE-2025-53771 with CrowdStrike Falcon® Exposure Management’s vulnerability management capability.

CrowdStrike has developed a custom dashboard for Falcon Exposure Management customers so they can quickly see which hosts are vulnerable. The dashboard includes threat analysis provided by researchers, detailed information on vulnerable hosts, and the count of vulnerable product versions. As with other custom dashboard releases, customers can access these predefined dashboards by navigating to Exposure management > Vulnerability management > Dashboards, then select this dashboard for ToolShell CVE-2025-53770.

Falcon Exposure Management has had detections for all supported platforms since the vulnerability was initially disclosed. The vulnerability currently has an ExPRT.AI severity rating of "Critical," with an exploit status of "Actively Used (Critical)" due to confirmed active exploitation in the wild.

To identify vulnerable systems, customers can navigate to the Exposure Management > Vulnerability Management > Vulnerabilities page in the CrowdStrike Falcon platform. From there, they can use the Vulnerability ID filter with a value of "CVE-2025-53770" and/or “CVE-2025-53771.” If any of the managed systems are vulnerable, results will be shown here. If they receive the message "No vulnerabilities found," then all of their managed SharePoint systems have the necessary patches. For any systems found vulnerable, the remediation guidance provided for that system will mention the necessary security updates to apply.

CrowdStrike Falcon Next-Gen SIEM

As the vulnerabilities discussed target the SharePoint server, ingestion of Microsoft IIS server logs provides a comprehensive view into this emerging threat. CrowdStrike Falcon® Next-Gen SIEM customers are encouraged to ingest IIS logs to gain the necessary visibility and detect malicious actions. Further information about ingesting and parsing this data source is available to customers here. The “Microsoft - IIS - Microsoft Sharepoint ToolShell Exploitation CVE-2025-53770” rule template is currently available to customers who wish to detect possible exploitation attempts specific to CVE-2025-53770. This template leverages the following query to identify instances where malicious URLs are being accessed:

#Vendor="microsoft" #event.module="iis" #event.dataset="iis.access" #repo!="xdr*"
| parseUrl(http.request.referrer)
| http.request.method="POST" url.path="/_layouts/15/ToolPane.aspx" url.query="DisplayMode=Edit&a=/ToolPane.aspx" http.request.referrer.path="/_layouts/SignOut.aspx"
| http.response.status_code =~ in(values=[200,302])

Falcon Next-Gen SIEM users may also leverage a hunting query that uses the recently released correlate() capability. This rule, which is also provided below, may be used to identify instances where a SharePoint IIS process results in a PowerShell command being executed, followed by an ASPX file being written. 

correlate(
    cmd: {
        #event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
          } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
    pwsh: {
        #event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
          | aid <=> cmd.aid
          | ParentProcessId <=> cmd.TargetProcessId
          } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
    aspx: {
        #event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/\.aspx/i
          | aid <=> cmd.aid
          | ContextProcessId <=> pwsh.TargetProcessId
          } include: [aid, ComputerName, TargetFileName],
sequence=true, within=5m)

Conclusion

The SharePoint vulnerability exploitation demonstrates how critical application threats can provide attackers with initial access to organizations. CrowdStrike customers benefit from multiple layers of protection against these attacks.

While we strongly recommend patching SharePoint instances immediately, the Falcon platform provides comprehensive protection through:

• Falcon Insight XDR: Behavioral detection and prevention of exploitation attempts
• Falcon Exposure Management: Visibility into vulnerable SharePoint instances
• Falcon Next-Gen SIEM: Detection rules for Microsoft IIS logs to identify exploitation attempts

CrowdStrike will continue monitoring this threat and update our guidance as new information emerges.