Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/g\/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\"><br \/>\n<meta property=\"og:title\" content=\"Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks\"><br \/>\n<meta property=\"og:description\" content=\"CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote code execution through advanced deserialization and ViewState abuse.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/cve-2025-0411-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks\"><br \/>\n<meta name=\"twitter:description\" content=\"CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote code execution through advanced deserialization and ViewState abuse.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/cve-2025-0411-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.953552225146\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1398926652\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10\">\n<div class=\"article-details\" role=\"heading\" readability=\"40\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits & Vulnerabilities<\/p>\n<p class=\"article-details__description\">CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote code execution through advanced deserialization and ViewState abuse.<\/p>\n<p class=\"article-details__author-by\">By: Trend Micro Research <time class=\"article-details__date\">July 22, 2025<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"49.044297520661\">\n<div readability=\"45.197685950413\">\n<p><span class=\"body-subhead-title\">Key takeaways<\/span><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">CVE-2025-53770 and CVE-2025-53771 are vulnerabilities affecting on-premise Microsoft SharePoint Servers, which enables an attacker to upload malicious files and extract cryptographic secrets.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">These vulnerabilities are evolutions of previously patched flaws (CVE-2025-49704 and CVE-2025-49706), for which initial vendor-provided remediation was incomplete, enabling attackers to achieve unauthenticated RCE attacks through advanced deserialization techniques and ViewState abuse.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">We have observed exploit attempts across a wide range of industries, including finance, education, energy, and healthcare.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Microsoft has released security updates for SharePoint Subscription Edition and Server 2019, while a patch for Server 2016 is pending. Trend Micro\u2122 TippingPoint\u2122 customers have been protected from these attacks since May 2025.<\/span><\/li>\n<\/ul>\n<p>CVE-2025-53770 and CVE-2025-53771 are a pair of vulnerabilities affecting Microsoft SharePoint Servers. Attacks exploiting CVE-2025-53770 in the wild were first reported by <a href=\"https:\/\/research.eye.security\/sharepoint-under-siege\/\">Eye Security<\/a> on July 18; these vulnerabilities are currently being actively exploited to compromise on-premises SharePoint environments worldwide. Trend\u2122 Research has independently verified these findings.<b><\/b><\/p>\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-49706\">Both of these flaws build on<b> <\/b>CVE-2025-49706<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-49704\">CVE-2025-49704<\/a>, the initial vulnerabilities in Microsoft SharePoint that were disclosed during Pwn2Own Berlin 2025 by Viettel Cyber Security as part of a chained attack. These were patched as part of the <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/releaseNote\/2025-Jul\">July 2025 Patch Tuesday cycle<\/a>. However, further analysis revealed that the initial patches were not fully complete, which necessitated the release of CVE-2025-53770 and CVE-2025-53771.<\/p>\n<p>Microsoft acknowledged these issues in a <a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\">security bulletin<\/a> first published on July 19, when patches were made available for SharePoint Subscription Edition and 2019. Meanwhile, a patch for SharePoint 2016 is forthcoming as of writing. The patch for CVE-2025-53770 provides a more comprehensive fix for CVE-2025-49704, while CVE-2025-53771 does the same for CVE-2025-49706.<\/p>\n<p>TippingPoint customers have been protected against these related vulnerabilities since May, as part of the discoveries made at Pwn2Own Berlin. These discoveries became CVE-2025-49704 and CVE-2025-49706 when coordinated disclosure was done with Microsoft.<\/p>\n<p>Attackers exploiting CVE-2025-53770 in on-premise Sharepoint servers aim to target the <i>\/layouts\/15\/ToolPane.aspx<\/i> endpoint, which is initiated through a specially crafted HTTP request featuring a unique <i>Referer header <\/i> \/_layouts\/SignOut.aspx to circumvent authentication mechanisms, which results in the uploading of a malicious <i>.aspx<\/i> file. The weaponized file, named <i>spinstall0.aspx<\/i>, extracts cryptographic secrets from the SharePoint instance.<\/p>\n<p>Upon extracting these secrets, the threat actors generate valid and signed <i>__VIEWSTATE<\/i> payloads, which enable unauthenticated RCE attacks. This exploitation chain makes use of multiple vulnerabilities, including CVE-2025-49706 and CVE-2025-49704.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"718114\" data-modal-title=\"Figure 1. Web shell is designed to harvest cryptographic keys including ValidationKey and DecryptionKey from a system's machineKey settings\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/figure1.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/figure1.png\" alt=\"Figure 1. Web shell is designed to harvest cryptographic keys including ValidationKey and DecryptionKey from a system's machineKey settings\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Web shell is designed to harvest cryptographic keys including ValidationKey and DecryptionKey from a system’s machineKey settings<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"48.5\">\n<div readability=\"42\">\n<p>The observed attack progresses through the following stages:<\/p>\n<p><b><span class=\"body-subhead-title\"><\/span><\/b>Attackers exploit the <i>\/layouts\/15\/ToolPane.aspx<\/i> endpoint using a carefully crafted HTTP request and a specific Referer header value of \/_layouts\/SignOut.aspxto bypass authentication controls.<\/p>\n<p><span class=\"body-subhead-title\"><\/span>A malicious ASPX file (<i>spinstall0.aspx<\/i>) is uploaded to the server. The file is intended to extract sensitive cryptographic secrets from the SharePoint environment.<\/p>\n<p><span class=\"body-subhead-title\"><\/span>The malicious <i>spinstall0.aspx<\/i> extracts the server\u2019s MachineKey configuration, which includes the <i>ValidationKey<\/i>, which is critical for generating valid <i>__VIEWSTATE<\/i> payloads.<\/p>\n<p><span class=\"body-subhead-title\"><\/span>Using the stolen cryptographic secrets, the attackers employ tools such as<i> <\/i>ysoserial can generate valid serialized, <i>__VIEWSTATE<\/i> objects, which are then deserialized by SharePoint, enabling unauthenticated remote code execution.<\/p>\n<p>Note that the file <i>spinstall0.aspx<\/i> has been observed at the following path:<\/p>\n<p><span class=\"blockquote\">C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\spinstall0[.]aspx.<\/span><\/p>\n<p>The malicious ASPX files employ reflective code loading through the <i>System.Reflection.Assembly.Load() C# method<\/i> (TT1620) to expose machineKey settings from <i>web.config<\/i>. Although these files do not directly execute additional code, they leak keys used for authentication and ViewState security, significantly increasing the risks of token forgery and data tampering.<\/p>\n<p>The Scorecard:ExcelDataSet control in SharePoint can embed a base64-encoded CompressedDataTable payload within a malicious ViewState object\u2014often crafted using tools like <b>ysoserial<\/b>\u2014leading to remote code execution via deserialization.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"7a695e\" data-modal-title=\"Figure 2. Malicious POST request used to bypass SharePoint authentication \" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/figure2.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/figure2.png\" alt=\"Figure 2. Malicious POST request used to bypass SharePoint authentication\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Malicious POST request used to bypass SharePoint authentication<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>The decoded ViewState payloads reference system objects and may execute PowerShell commands. For example, a PowerShell script can be used to decode a base64 string and write its contents to <i>spinstall0.aspx<\/i> in the SharePoint LAYOUTS directory.<\/p>\n<p>The web shell scripts, written in C#, uses internal .NET classes to access SharePoint\u2019s <i>MachineKeySection<\/i>. This facilitates the extraction of critical cryptographic configuration values, including <i>ValidationKey<\/i>, <i>DecryptionKey<\/i>, <i>Decryption<\/i>, and <i>CompatibilityMode<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"1ba57c\" data-modal-title=\"Figure 3. C# web shell script accessing .NET MachineKeySection to extract SharePoint cryptographic keys\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/figure3.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/figure3.png\" alt=\"Figure 3. C# web shell script accessing .NET MachineKeySection to extract SharePoint cryptographic keys\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. C# web shell script accessing .NET MachineKeySection to extract SharePoint cryptographic keys<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>Currently, we have observed exploitation attempts across multiple regions, including Asia, Europe, and the United States. A wide range of industries have also been targeted, notably finance, education, energy, and healthcare.<br \/><b><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"7\">\n<tr readability=\"6\">\n<td height=\"25\" width=\"136\">Initial Access (TA0001)<\/td>\n<td width=\"136\">Credential Access (TA0006)<\/td>\n<td width=\"136\">Command and Control (TA0011)<\/td>\n<td width=\"136\">Reflective Code Loading (T1620)<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td height=\"25\" width=\"136\">Exploit Public-Facing Application (T1190)<\/td>\n<td width=\"136\">OS Credential Dumping (T1003)<\/td>\n<td width=\"136\">Application Layer Protocol: Web (T1071.001)<\/td>\n<td width=\"136\">Server Software Component: Web Shell (1505.003)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><sup>Table 1. Summary of the MITRE ATT&CK tools, tactics, and procedures used in attacks that exploit CVE-2025-53770 and CVE-2025-53771<\/sup><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"46.639089968976\">\n<div readability=\"41.975180972079\">\n<p>The active exploitation of CVE-2025-53770 and CVE-2025-53771 illustrates the evolving nature of threat activity targeting on-premise Microsoft SharePoint environments. Organizations must proactively apply available patches, enhance monitoring, and ensure layered security controls are in place to effectively defend against these advancing threats.<\/p>\n<p>We strongly recommend applying the latest security updates from Microsoft for on-premise SharePoint servers (note that Office 365 and Online servers are not affected), monitoring for the presence of unauthorized ASPX files in the LAYOUTS directory, auditing configuration files for suspicious changes, and inspecting server logs for anomalous access patterns\u2014particularly those involving the <i>ToolPane.aspx<\/i> endpoint and <i>ViewState<\/i> activity.<\/p>\n<p>TippingPoint customers have benefited from proactive and multi-layered protection against these vulnerabilities since the initial disclosure via the Pwn2Own program in May of 2025. <\/p>\n<p>Specific details on more protection rules and filters for Trend customers are available in the corresponding <a href=\"https:\/\/success.trendmicro.com\/en-US\/solution\/KA-0020403\">knowledge base entry<\/a>.<\/p>\n<p><span class=\"body-subhead-title\">Trend Vision One\u2122 Threat Intelligence<\/span><\/p>\n<p>To stay ahead of evolving threats, Trend customers can access <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\" title=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\">Trend Vision One\u2122 Threat Insights<\/a>, which provides the latest insights from Trend Research on emerging threats and threat actors. <\/p>\n<h2><span class=\"body-subhead-title\">Trend Vision One Threat Insights App<\/span><\/h2>\n<p><b>Emerging Threats: <\/b> <a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html#\/app\/ti\/intelligence_insights?name=CVE-2025-53770%20-%20Microsoft%20SharePoint%20Vulnerability%20Explotation%20In%20The%20Wild\">CVE-2025-53770 – Microsoft SharePoint Vulnerability Explotation In The Wild<\/a><\/p>\n<p><span class=\"body-subhead-title\">Hunting Queries<\/span><\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f\u202f\u202f\u202f<\/p>\n<p><b>CVE-2025-53770: Dropping of Malicious ASPX file using PowerShell<\/b><\/p>\n<p><span class=\"blockquote\">eventSubId: 901 AND objectRawDataStr: “TEMPLATE\\LAYOUTS\\spinstall0.aspx”<\/span><\/p>\n<p>More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"30.246575342466\">\n<div readability=\"8.5068493150685\">\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>The IoCs for this blog can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/proactive-security-for-sharepoint-attacks\/IOC-Proactive-Security-and-Insights-for-SharePoint-Attacks-CVE-2025-53770-and-CVE-2025-53771.txt\"><span class=\"bs-modal\">here<\/span><\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/g\/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote code execution through advanced deserialization and ViewState abuse. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9555,9509],"class_list":["post-59016","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-research"],"yoast_head":"\n<title>Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-22T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2025-0411-cover:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)\",\"datePublished\":\"2025-07-22T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/\"},\"wordCount\":1193,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2025-0411-cover:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/\",\"name\":\"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2025-0411-cover:Large?qlt=80\",\"datePublished\":\"2025-07-22T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2025-0411-cover:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2025-0411-cover:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/","og_locale":"en_US","og_type":"article","og_title":"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-07-22T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2025-0411-cover:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)","datePublished":"2025-07-22T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/"},"wordCount":1193,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2025-0411-cover:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/","url":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/","name":"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2025-0411-cover:Large?qlt=80","datePublished":"2025-07-22T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2025-0411-cover:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2025-0411-cover:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59016"}],"version-history":[{"count":1,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59016\/revisions"}],"predecessor-version":[{"id":59017,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59016\/revisions\/59017"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":59016,"date":"2025-07-22T00:00:00","date_gmt":"2025-07-22T00:00:00","guid":{"rendered":"urn:uuid:726e4dbf-4cc8-03bd-c082-cbb7a34aa997"},"modified":"2025-07-22T00:00:00","modified_gmt":"2025-07-22T00:00:00","slug":"proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/proactive-security-and-insights-for-sharepoint-attacks-cve-2025-53770-and-cve-2025-53771\/","title":{"rendered":"Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)"},"content":{"rendered":"