Defending Against This Threat
Organizations are strongly encouraged to apply patches that have been released to ensure they are protected. At the time of writing, patches for Microsoft SharePoint Server 2019 Core and Microsoft SharePoint Server Subscription Edition are currently available. Patches for Microsoft SharePoint Enterprise Server 2016 were still being actively tested by Microsoft.
CrowdStrike Falcon Endpoint Detection and Response
As mentioned in our opening analysis, this attack relies on specially crafted POST requests to exploit the SharePoint zero-day vulnerabilities. CrowdStrike Falcon® Insight XDR endpoint security successfully detected and blocked these attacks through advanced behavioral analysis rather than relying on signature-based detections.
The attack chain exploits SharePoint servers by executing malicious code to extract authentication keys, enabling attackers to send authenticated system-level commands. Falcon Insight XDR’s behavioral engine identified suspicious activity when SharePoint processes began launching command prompts and PowerShell scripts — a clear deviation from normal SharePoint operations.
Our multi-layered approach detected:
- Abnormal process behavior: Suspicious process chains originating from SharePoint services, including webshells and reconnaissance
- Network anomalies: Questionable DNS requests that generated alerts in the Falcon console
- Behavioral correlation: Multiple indicators confirming malicious intent
Threat actors continuously adapt their techniques based on security vendor responses. CrowdStrike’s threat research team proactively enhances our detection capabilities in response. We are deploying additional behavioral detections this week that focus on post-exploitation activities and alternative attack vectors, providing continued coverage as attack methods evolve.
CrowdStrike Falcon Exposure Management
Customers can find CVE-2025-53770 and CVE-2025-53771 with CrowdStrike Falcon® Exposure Management’s vulnerability management capability.
Falcon Exposure Management has had detections for all supported platforms since the vulnerability was initially disclosed. The vulnerability currently has an ExPRT.AI severity rating of “Critical,” with an exploit status of “Actively Used (Critical)” due to confirmed active exploitation in the wild.
To identify vulnerable systems, customers can navigate to the Exposure Management > Vulnerability Management > Vulnerabilities page in the CrowdStrike Falcon platform. From there, they can use the Vulnerability ID filter with a value of “CVE-2025-53770” and/or “CVE-2025-53771.” If any of the managed systems are vulnerable, results will be shown here. If they receive the message “No vulnerabilities found,” then all of their managed SharePoint systems have the necessary patches. For any systems found vulnerable, the remediation guidance provided for that system will mention the necessary security updates to apply.
CrowdStrike Falcon Next-Gen SIEM
As the vulnerabilities discussed target the SharePoint server, ingestion of Microsoft IIS server logs provides a comprehensive view into this emerging threat. CrowdStrike Falcon® Next-Gen SIEM customers are encouraged to ingest IIS logs to gain the necessary visibility and detect malicious actions. Further information about ingesting and parsing this data source is available to customers here. The “Microsoft – IIS – Microsoft Sharepoint ToolShell Exploitation CVE-2025-53770” rule template is currently available to customers who wish to detect possible exploitation attempts specific to CVE-2025-53770. This template leverages the following query to identify instances where malicious URLs are being accessed:
#Vendor="microsoft" #event.module="iis" #event.dataset="iis.access" #repo!="xdr*"
| http.request.method="POST" url.path="/_layouts/15/ToolPane.aspx" url.query="DisplayMode=Edit&a=/ToolPane.aspx" http.request.referrer="/_layouts/SignOut.aspx"
| http.response.status_code =~ in(values=[200,302])
Falcon Next-Gen SIEM users may also leverage a hunting query that uses the recently released correlate() capability. This rule, which is also provided below, may be used to identify instances where a SharePoint IIS process results in a PowerShell command being executed, followed by an ASPX file being written.
correlate(
cmd: {
#event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
} include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
pwsh: {
#event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
| aid <=> cmd.aid
| ParentProcessId <=> cmd.TargetProcessId
} include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
aspx: {
#event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/\.aspx/i
| aid <=> cmd.aid
| ContextProcessId <=> pwsh.TargetProcessId
} include: [aid, ComputerName, TargetBaseFileName],
sequence=true, within=5m)
Conclusion
The SharePoint vulnerability exploitation demonstrates how critical application threats can provide attackers with initial access to organizations. CrowdStrike customers benefit from multiple layers of protection against these attacks.
While we strongly recommend patching SharePoint instances immediately, the Falcon platform provides comprehensive protection through:
- Falcon Insight XDR: Behavioral detection and prevention of exploitation attempts
- Falcon Exposure Management: Visibility into vulnerable SharePoint instances
- Falcon Next-Gen SIEM: Detection rules for Microsoft IIS logs to identify exploitation attempts
CrowdStrike will continue monitoring this threat and update our guidance as new information emerges.
