CVE-2025-53770 - Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server
Understanding the RCE On July 22, 2025, Immersive’s threat research team was trying to understand how the SharePoint zero-day vulnerability was uncovered, based on Eye Security’s initial article. There were many proofs of concept (PoCs) and initial articles on indicators of attack (IoAs) and their severity. But none covered the exploit itself or could help us understand how the exploit was weaponized in depth. In this blog, I’ll share our research process and how we (eventually!) got to the bottom of this exploit. The challenges of building a CTI lab Our initial thought process for building this Cyber Threat Intelligence (CTI) lab was fairly straightforward. We’d understand the indicators of compromise (IoCs) and the PoCs that were shared in the article, try replicating it with the PoC, and obtain some logs. However, it was easier said than done. What went wrong? The PoCs just didn't work, and there was no way for us to understand why. This makes sense retrospectively – initial articles only provided surface-level information, rather than details on how the exploit was made. We ended up deploying different variants of SharePoint to see which were vulnerable. Alas, nothing worked (I’ll explain why this happened in more depth later on). Looking at the logs to identify the problem didn’t work either, because who looks at logs, right? Some of the initial PoCs were taken down, and the ones remaining were missing a piece of the puzzle. It was also fairly noticeable that many of the PoCs added to GitHub weren’t true either, and some were ransomware binaries! Dissecting the payload – mistakes and a learning curve Based on the initial brief from the Eye Security article, we figured out that it was a deserialization problem. After many days of unravelling and building multiple SharePoint servers with different versions, the “Hallelujah” moment finally arrived. A new remote code execution (RCE) module for this exploit was committed to Metasploit's GitHub repo. It wasn't the code that mattered much to us, but the comments in it that got us interested: The highlighted comments helped us map out which deserialization gadget chain works against specific SharePoint Server versions. This was important, as the exploit itself abuses insecure deserialization in the ViewState on SharePoint pages like ToolPane.aspx. This is when it hit us: our initial exploit of the RCE using the TypeConfuseDelegate gadget with BinaryFormatter wasn't working because we weren’t targeting the versions that were vulnerable to that gadget chain. To put this to the test, we had the right version built (v16.0.10337.12109) and also decided to further analyze the payload itself from the Metasploit module – I know it's cutting corners, but I was very keen on how it all works together! To achieve this, we downloaded the earliest exploit module commit on its GitHub, added it to our existing Metasploit framework, and intercepted the request using BurpSuite. This gave us the PoC, which we could analyze: Obviously, there was no need to reinvent the wheel since Metasploit already had a functional module, but where’s the fun in that? Dissecting the payload – decoding It’s already noticeable that the payload is URL-encoded. By decoding it, you’ll be able to see the body of the request. It has references to controltemplates/ACLEditor and an Excel DataSet, which is commonly used in .NET deserialization exploits, along with a Base64 encoded and compressed data table: The next step was to extract and Base64 decode the compressed data table: The decoded and decompressed information is the raw XML schema and DiffGram that the DataSetWrapper spits out. The part highlighted in the red box is the embedded first-stage gadget, Base64 encoded as an XSD string. Remember when I mentioned that our PoCs weren't working earlier? It’s because we didn't embed our Base64 encoded payload onto a raw XML schema and DiffGram. If you take the Base64 encoded XSD string and decode it, you’d get the payload. The payload I had on Metasploit was: And by decoding the string obtained from above, we can see it too: Weaponizing our PoC to emulate the IoCs With all the juicy information to hand, it was time to recreate this and see how threat actors in the wild did it. Bear in mind that the IoCs from the research article mentioned they weren’t obtaining any shells from the RCE, but stealthily leaking cryptographic secrets from SharePoint servers, which were chained to craft a fully valid and signed payload using ysoserial. The PoC implemented based on the work from the Metasploit module wraps our initial “inner” ysoserial payload inside an XML and DataSet gadget that SharePoint expects, then serializes, compresses, and Base64 encodes it. The payload that was built closely resembles what’s seen in the wild, which was dropping malicious content to a file named spinstall0.aspx that leaks cryptographic secrets. This Base64 payload was then embedded into an XML and DataSet gadget, using our PoC: All that remained was to send the payload. Here’s what we noticed upon sending the request via Burp: And while looking at the Process Explorer running on our SharePoint test environment: Similar to the IoCs, you’ll note that w3wp.exe spawns cmd.exe, and a PowerShell process is then spawned from the cmd.exe child process. If it’s succeeded, you should be able to navigate to https://X.X.X.X/_layouts/15/spinstall0.aspx to view and read the SharePoint’s MachineKey config file, including the ValidationKey: Finally, from our ELK logs: As you’ll notice, the log shows that the exploit’s PowerShell payload used set-content to write an ASPX backdoor into SharePoint’s _layouts directory (spinstall0.aspx). In summary Looking back at this exploit, it’s interesting from an offensive perspective to see how advanced persistent threat actors are finding creative ways to compromise organization infrastructures. In the meantime, I can only send prayers to the SOC analysts and Sysadmins fixing SharePoint, because let’s be honest – SharePoint is a cave nobody comes out alive from! For more information and finer details on how the exploit works, I'll leave this fantastic article here: Viettel Cyber Security: SharePoint ToolShell – One Request PreAuth RCE ChainNew CTI Labs: CVE-2025-53770 (ToolShell SharePoint RCE): Offensive and Defensive
Recently, a critical zero-day vulnerability affecting on-premise SharePoint servers, identified as CVE-2025-53770, was uncovered. This vulnerability allows for authentication bypass, leading to remote code execution, and has been actively exploited in the wild. Eye Security researchers detected an in-the-wild exploit chain on July 18, 2025, during an incident response engagement. This discovery led to Microsoft assigning two CVEs: CVE-2025-53770 and CVE-2025-53771. The attack notably leveraged a combination of vulnerabilities to achieve its objectives, impacting numerous SharePoint servers globally. There is now a public exploit available for anyone wanting to achieve remote code execution. Why should our customers care? This critical vulnerability has been added to the CISA Kev Catalog. and with no authentication or user interaction, a vulnerable SharePoint server can be fully taken over remotely, letting attackers run arbitrary code as if they were privileged admins. SharePoint is a complex and large system that often holds a lot of sensitive data for organizations and is often a targeted system for attackers. Who is the defensive lab for? System Administrators SOC Analysts Incident Responders Threat Hunters Who is the offensive lab for? Red teamers Penetration Testers Threat Hunters Here are the links to the labs: Offensive: https://immersivelabs.online/v2/labs/cve-2025-53770-toolshell-sharepoint-rce-offensive Defensive: https://immersivelabs.online/v2/labs/cve-2025-53770-toolshell-sharepoint-rce-defensiveNew CTI Lab: CVE-2025-32463 (Sudo Chroot Elevation of Privilege): Offensive
On June 30, 2025, the Stratascale Cyber Research Unit (CRU) team identified a critical local privilege escalation vulnerability in sudo, tracked as CVE-2025-32463. This vulnerability, related to sudo's chroot option, can allow an attacker to escalate privileges to root on an affected system. Why should our customers care? This critical vulnerability is reasonably trivial to exploit, and should an attacker gain user-level access to a vulnerable machine, they'll be able to elevate their privileges and have full control over the machine. It has come to our attention that not many people are aware that sudo has versioning. It is a binary that is constantly iterated upon, which naturally may introduce new vulnerabilities. If administrators and security analysts are not aware of how these vulnerabilities work, this can lead to significant risks and impacts. Who is it for? Red Teamers Penetration Testers System Administrators Here is a link to the lab: https://iml.immersivelabs.online/labs/cve-2025-32463-sudo-chroot-elevation-of-privilege-offensiveNew CTI/OT Lab: Norwegian Dam Compromise: Campaign Analysis
We have received reports of a cyber incident that occurred at the Lake Risevatnet Dam, near Svelgen, Norway, in April 2025. A threat actor gained unauthorized access to a web-accessible Human-Machine Interface (HMI) and fully opened a water valve at the facility. This resulted in an excess discharge of 497 liters per second above the mandated minimum water flow. Which persisted for four hours before detection. This attack highlights a dangerous reality: critical OT systems are increasingly exposed to the internet, making them accessible to threat actors. In this case, control over a dam’s valve system was obtained via an insecure web interface, a scenario that could have had even more severe consequences. A recent report by Censys identified over 400 exposed web-based interfaces across U.S. water utilities alone. This dam incident in Norway exemplifies the tangible risks posed by such exposures. In this lab, you will be taken through the attack from an offensive viewpoint, including cracking an HMI and fully opening two valves. Why should our customers care? OT environments, including dams, energy grids, and oil pipelines, are foundational to national security and daily life. These systems cannot be secured using traditional IT playbooks. As OT becomes more connected, tailored security strategies are critical to prevent unauthorized access and catastrophic failures. Who is it for? Incident responders SOC analyst Threat Hunters Red Teamer Penetration Testers OT Engineers Here is the link to the lab: https://immersivelabs.online/v2/labs/norwegian-dam-compromise-campaign-analysisNew CTI Lab: CVE-2025-33073 (SMB Elevation of Privilege): Defensive
Another vulnerability patched was released during Microsoft's June 2025 patch Tuesday review! An important elevation of privilege vulnerability was listed, and if exploited successfully, attackers can achieve elevation of privilege on the compromised machine. Even though it's not recorded to have been exploited in the wild as yet, the fact that research exists with details on how the vulnerability was found improves the chances an attacker will attempt to exploit this flaw against a victim.In these labs, you will be taken through the vulnerability from both an offensive and defensive perspective. Why should our customers care? This is a new vulnerability that has just been patched, and is has in depth research released about it. Successful exploitation of this vulnerability allows attackers to elevate their privileges and achieve command execution on a victim machine. Learn what sort of indicators this exploit leaves, but also learn how to execute and take advantage of this vulnerability! Who is it for? Incident responders SOC analyst Threat Hunters Red Teamer Penetration Testers Here is the link to the labs: Defensive: https://immersivelabs.com/v2/labs/cve-2025-33073-smb-elevation-of-privilege-defensive Offensive: https://immersivelabs.com/v2/labs/cve-2025-33073-smb-elevation-of-privilege-offensive Container 7 Release We have released a threat detection for this particular vulnerability, helping the community to protect against any potential use of this vulnerability. https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33073-smb-exploit.ymlNew CTI Lab: Stealth Falcon (CVE-2025-33053) – WebDAV Server Remote Code Execution
Yesterday, in Microsoft's Patch Tuesday, there was a zero-day vulnerability that was patched and has been exploited in the wild! This zero-day was used by the cyber-espionage group Stealth Falcon and was reported on by Checkpoint. After successful phishing attempts, the user will execute a .url file that exploits a vulnerability to communicate with a WebDAV server owned by attackers, which holds a particular binary. The vulnerability is present because Windows will look for binaries through the WebDAV link before searching for the legitimate one on its own PC. Therefore, the attackers can achieve remote code execution. We are releasing a lab on hunting for the execution of this vulnerability to help teams create effective threat detections. Why should our customers care? This is a new vulnerability that has just been patched and has already been successfully used as part of threat groups' attack chains. Therefore, it is recommended to see what sort of indicators of compromise this type of vulnerability leaves once exploited. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the lab: https://immersivelabs.online/labs/stealth-falcon-cve-2025-33053-webdav-server-exploitation As part of the Container 7 team, we have also released threat detections that cover both binaries that were used in the campaigns that exploited CVE-2025-33053. You can find these here: https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-iediagcmd-exploit.yml https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-CustomShellHost-exploit.ymlUrgent Security Alert: Critical Flaw in CrushFTP Puts Your Data at Risk (CVE-2025-31161)
What is CVE-2025-31161? CrushFTP is widely used by businesses to transfer files securely. CVE-2025-31161 is a critical flaw that impacts CrushFTP versions 10 (up to 10.8.3) and 11 (up to 11.3.0). The flaw is a type of authentication bypass, meaning attackers can skip the login process altogether. It’s easy for attackers to exploit remotely, requires no special access or user interaction, and can lead to the complete loss of data privacy, integrity, and system availability. It has a severity rating of 9.8 (“Critical”) in the Common Vulnerability Scoring System (CVSS). Initial confusion caused this vulnerability to be briefly identified as CVE-2025-2825, but the official and correct designation is CVE-2025-31161. How does this attack work? The problem lies in how CrushFTP handles certain security checks for incoming web requests. Essentially, there’s a small window during the login process where an attacker can trick the system. Here’s a quick explanation of how it works. A flaw in the security check CrushFTP has a specific part of its code that checks for secure login information. However, there’s a subtle error where an internal setting is accidentally set to “true” by default. Bypassing the password If the username in the attacker’s fake login information doesn’t contain a specific character (the tilde ‘~’), this “true” setting tells the system to skip the password check entirely. This means an attacker can log in as a legitimate user without knowing their password. Crafting a malicious request Attackers send a custom web request to the CrushFTP server, which includes fake security information and a specific cookie. By combining these elements, the attacker can trigger the vulnerability and gain unauthorized administrative access. Is your software vulnerable? Your CrushFTP version Is it vulnerable? Action required 10.0.0 through 10.8.3 YES Update immediately 11.0.0 through 11.3.0 YES Update immediately 10.8.4 or higher NO (it’s patched!) Verify your version 11.3.1 or higher NO (it’s patched!) Verify your version Evidence of active exploitation Active exploitation was reported shortly after the patches were released, with security firms observing widespread attacks as early as March 30-31, 2025. Initially, over 1,500 vulnerable CrushFTP instances were exposed online, with significant numbers in the United States. In the following weeks, hundreds of organizations remained unpatched. Upon successful entry, attackers often establish persistent access. This is done by creating new administrator accounts or deploying Remote Monitoring and Management (RMM) tools, such as MeshAgent or MeshCentral, and AnyDesk. Attackers also deploy Telegram bot binaries to steal system information and sensitive data. The “Kill Security” (or “Kill”) ransomware group has publicly claimed responsibility for some early exploitation efforts, announcing that they’ve obtained “significant volumes of sensitive data” and intend to extort victims. It highlights a trend where Managed File Transfer (MFT) solutions are increasingly targeted by ransomware and data extortion groups for their high-value data. The impact of a successful attack A successful exploit grants attackers unauthenticated administrative access, which has severe consequences: Full system compromise: Attackers can gain complete control over the CrushFTP application and the server it runs on. Data exfiltration: They can access and steal any sensitive data stored on the platform or accessible through it. Data integrity and ransomware: Attackers can modify, delete, or encrypt files, potentially deploying ransomware to disrupt operations and demand payments. Legal and regulatory implications: Organizations may face significant fines, reputational damage, and legal liabilities if personal data is compromised, with strict notification deadlines (e.g. 72 hours under GDPR). How to protect your organization The attack’s multi-layered approach combines technical exploitation with advanced social engineering to bypass security controls and user vigilance. It’s essential to take the following steps to protect your organization. Apply updates immediately UPDATE NOW: Immediately update all CrushFTP installations to version 10.8.4 or later or 11.3.1 or later. Only obtain updates from the official CrushFTP website. Deploy patches: CrushFTP doesn’t have automatic updates, so enterprises need to apply proactive, centralized patching. Verify updates: Ensure updates are successfully applied across your environment. Be proactive with security measures and hardening Enforce strong passwords: Mandate strong, unique passwords for all CrushFTP accounts, especially administrators. Monitor logs comprehensively: Actively monitor CrushFTP server logs (especially \logs\session_logs) for suspicious activity, like new accounts, unusual access, or RMM tool deployments. Layer your security: Employ strong email and web filtering, advanced endpoint detection and response (EDR), and network segmentation. Restrict network access: Limit CrushFTP access to only trusted clients and IP ranges. Assess and remediate compromise Applying the patch alone will not remove any existing access gained by attackers who exploited the vulnerability before the software update. Given active exploitation has been confirmed, you should assume potential prior compromise and take the following steps: Assess for unauthorized access: If you were running a vulnerable version, conduct a thorough assessment immediately for signs of compromise going back to at least March 30, 2025. Conduct forensic analysis: Examine server logs for new user accounts, modified user properties, or deployed RMM tools and malware. Remediate existing compromises: Remove unauthorized accounts, change all legitimate CrushFTP passwords, and remove any deployed malware. If necessary, restore systems from clean, verified backups. Address legal obligations: If a data breach is confirmed, promptly fulfill data protection (e.g. GDPR) and industry-specific regulatory obligations, including potential notifications. This vulnerability highlights the need to continuously monitor systems, stay informed about threats, and adopt a layered security approach to protect critical infrastructure. Conclusion The critical CrushFTP vulnerability puts a spotlight on the fast-paced world of cyber threats. In addition to patching and implementing security processes, it’s vital to run organizational exercises. Regularly practicing incident response through drills and simulations helps your team reinforce existing policies and processes. This preparation allows them to respond effectively when similar vulnerabilities emerge, reducing potential harm and protecting sensitive data. Share your thoughts Has your business been affected by the CVE-2025-31161 flaw or something similar? How do you stay up to date with the latest cyber threats and keep your team alert to risks? Let us know in the comments below.New CTI Labs: BadSuccessor: Offensive and Defensive
Two days ago, Akamai released a technical research blog post detailing a privilege escalation vulnerability in Windows Server 2025. This vulnerability abuses delegated Managed Service Accounts (dMSAs), and with the right base permissions, it could allow a user to gain domain admin permissions or even dump the NTLM hashes for all users in the domain. There is no patch available, and this would be considered a public zero-day. Why are these labs important? Many organisations use a Windows Domain to manage their users and accounts. This newly announced zero-day has no patch and no known detections in SIEMs. A combination of these labs will allow organisations to identify any potentially weak configurations vulnerable to exploitation and how to threat hunt in a SIEM to identify signs of exploitation. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Pentesters / Red Teams Here is the link to the analysis lab: BadSuccessor – Offensive BadSuccessor – DefensiveNew CTI Lab: Sandworm Campaign: ZEROLOT Wiper
ESET released a new APT threat report today, and amongst the information was a new malware wiper used to attack critical national infrastructure. However, this malware has not been reported on at all. It has been successfully deployed amongst many organizations, but no analysis has been released. Therefore, we are releasing a SIEM analysis to help our customers create threat detections for this destructive malware. The threat actor in question is Sandworm Team, a state-sponsored APT group that has been active since at least 2009. Known for highly destructive cyber campaigns, the group has targeted critical infrastructure. In this lab, you'll be exposed to one of Sandworm's latest campaigns, where they use remote management tools to facilitate the deployment of a new wiper, Zerolot. Why is this lab important? Many of our customers have asked for an analysis of wiper malware, and the destructive nature of this malware worries organizations around the world. This new strain, which has been deployed numerous times successfully since December 2024, needs effective threat detection to ensure security teams are prepared for this threat. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the analysis lab: Sandworm Campaign: ZEROLOT WiperNew CTI Labs: Threat Actors Akira and DragonForce
These labs will highlight the background and TTPs of Akira, a highly prolific threat actor with indiscriminate targeting, and DragonForce, a ransomware actor recently in the news, connected to the attacks on M&S, Co-op, and Harrods. Why are these labs important? Akira is one of the most prolific threat actors that does not discriminate in its targeting. It often targets medium to large enterprises worldwide, with a strong focus on North America and Europe, including the UK. This means that no one is exempt from Akira's targeting in the future, so knowing your TTPs and how to prepare for attacks from threat actors is paramount to keeping your organization safe. Throughout late April 2025, DragonForce has been all over the news since they claimed responsibility for being involved in the attacks against Marks and Spencer, Co-Op, and Harrods in the UK. The information in the labs reflects DragonForce's latest known TTPs and helps customers to stay one step ahead of actors like DragonForce. Who are these labs for? These labs deliver the latest information relating to threat actors and their TTPs. The personas who would benefit the most from these labs are: Cyber Threat Intelligence Analysts SOC Analysts Incident Responders Threat Hunters Here are the links to the labs: Threat Actors: Akira Ransomware Groups: DragonForce
