• CVE-2025-53770
• CVE-2025-53771

Affected versions:

• SharePoint Server Subscription Edition
• SharePoint Server 2019
• SharePoint Server 2016

Microsoft released Security updates and are available at the following link: Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center

Recommended steps:

If SE, 2019 and 2016 versions are in use, it is recommended to install the latest security update immediately.

To mitigate potential attacks it is recommended to:

1. Install the latest security update (July 2025 Security Update).
2. Enable Antimalware Scan Interface (AMSI) integration. If running HTTP Request Body scanning, it is recommended to enable it in FullMode. If AMSI cannot be enabled, it is recommended to disable connections from the Internet until the security update is available.
3. Deploy Defender Antivirus/Defender for Endpoint on SharePoint servers
4. Rotate SharePoint Server ASP.NET Keys:
   • Using PowerShell
   • Manually from the admin center
     • Monitoring -> Review job definition page by clicking on the Run Now button under Machine Key Rotation Job.
5. After the rotation, IIS restart is required.

If enabling AMSI is not an option, key rotation is still required after the security update.

Defender-based detection and alerting options:

Microsoft Defender Antivirus can identify attack-related components and attack vectors with the following detection identifiers:

• Exploit:Script/SuspSignoutReq.A
• Trojan:Win32/HijackSharePointServer.A

Microsoft Defender for Endpoint is able to send alerts in case of vulnerability exploits, which can be found in the Security Portal under the “Alert” entries below:

• Possible web shell installation
• Possible exploitation of SharePoint server vulnerabilities
• Suspicious IIS worker process behavior
• IIS worker process loaded suspicious .NET assembly
• ‘SuspSignoutReq’ malware was blocked on a SharePoint server
• ‘HijackSharePointServer’ malware was blocked on a SharePoint server

Advanced Hunting queries:

Query servers where vulnerabilities can be exploited:

DeviceTvmSoftwareVulnerabilities
| where CveId in (“CVE-2025-49706″,”CVE-2025-53770”)

Successful vulnerability exploitation based on file creation (for Defender for Endpoint):

Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770:

| where FolderPath has_any (@’microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS’, @’microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS’)
| where FileName has “spinstall0”
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc

The query can be run by clicking on the link below:

Run query in the Microsoft 365 Defender

Process based detection:

Look for process creations where w3wp.exe is spawning encoded PowerShell involving the spinstall0 file or the file paths it’s been known to be written to:

DeviceProcessEvents
| where InitiatingProcessFileName has “w3wp.exe”
and InitiatingProcessCommandLine !has “DefaultAppPool”
and FileName =~ “cmd.exe”
and ProcessCommandLine has_all (“cmd.exe”, “powershell”)
and ProcessCommandLine has_any (“EncodedCommand”, “-ec”)
| extend CommandArguments = split(ProcessCommandLine, ” “)
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex “^[A-Za-z0-9+/=]{15,}$”
| extend B64Decode = replace(“\\\\x00”, “”, base64_decodestring(tostring(CommandArguments)))
| where B64Decode has_any (“spinstall0”, @’C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS’, @’C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS’)

Source: Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center