Microsoft SharePoint Emergency RCE Patches

Microsoft has released Out of band security patches to fix two actively exploited SharePoint Remote code execution (RCE) zero-days. These zero days are CVE-2025-53770 and CVE-2025-53771 which are being called “ToolShell”. Attackers are using these vulnerabilities to gain full control of vulnerable SharePoint servers.

• Unauthenticated RCE: Successful exploitation lets a remote attacker run arbitrary code in the SharePoint farms context.
• Active Attacks in the Wild: ToolShell campaigns are underway now. Waiting to patch increases risk.
• Incomplete Previous Fixes: July Patch Tuesday updates (July 8th) did not address these new bypasses.

• SharePoint Server 2019 – Install KB5002754
• SharePoint Subscription Edition – Install KB5002768
• SharePoint Enterprise Server – Patch pending, prepare to deploy as soon as Microsoft releases.
• After patching, rotate your SharePoint machine keys to invalidate any tokens an attacker may have forged:
  • PowerShell: Update-SPMachineKey
  • Central Administration: Monitoring -> Review job definitions -> machine key rotation job -> Run now, then iisreset on all web front ends.

• Search for the file spinstall0.aspx in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\
• Review IIS logs for suspicious POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with referrer /_layouts/SignOut.aspx
• Use Microsoft 365 Defender to query recent creation of spinstall0.aspx

• Patching Support: The VMaaS team is standing by to schedule or assist with emergency deployment of the above patches.
• Threat Hunting: We’re updating detection content today and will be performing targeted hunts for ToolShell artefacts.

Take Action Today 

Ignoring these threats could leave your business vulnerable to a serious security incident. If you want to learn more about how GoSecure can help protect your organization, contact us today for a security consultation. 

Learn More About GoSecure Titan® MXDR