<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2025-53770 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2025-53770/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2025-53770/feed.xml" rel="self" type="application/rss+xml"/><item><title>SharePoint spinstall0.aspx Webshell Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-sharepoint-spinstall0-webshell/</link><pubDate>Fri, 26 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-sharepoint-spinstall0-webshell/</guid><description>This brief describes the detection of GET requests to the spinstall0.aspx webshell, commonly deployed after exploiting CVE-2025-53770 in Microsoft SharePoint, indicating potential command execution, data exfiltration, or credential harvesting.</description><content:encoded><![CDATA[<p>The Microsoft SharePoint vulnerability CVE-2025-53770 allows attackers to deploy a webshell named &quot;spinstall0.aspx&quot; within the SharePoint layouts directory after successful exploitation via the ToolPane.aspx endpoint. This webshell serves as a backdoor, enabling attackers to execute commands, exfiltrate data, and extract sensitive information such as encryption keys and authentication tokens from the compromised SharePoint server. The presence of &quot;spinstall0.aspx&quot; and subsequent GET requests to it strongly indicate active post-exploitation activity, potentially leading to significant data breaches and privilege escalation within the organization. The exploitation of CVE-2025-53770 and the use of the spinstall0.aspx webshell pose a significant threat to organizations utilizing vulnerable SharePoint instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access to the SharePoint server, exploiting CVE-2025-53770 via a specially crafted request to the ToolPane.aspx endpoint.</li>
<li><strong>Webshell Deployment:</strong> Successful exploitation leads to the deployment of the &quot;spinstall0.aspx&quot; webshell in the SharePoint layouts directory, typically located at <code>/_layouts/15/</code>.</li>
<li><strong>Backdoor Establishment:</strong> The webshell acts as a persistent backdoor, allowing the attacker to execute arbitrary commands on the SharePoint server.</li>
<li><strong>Reconnaissance:</strong> The attacker uses the webshell to perform reconnaissance activities, gathering information about the system, network, and user accounts.</li>
<li><strong>Credential Access:</strong> The attacker attempts to extract sensitive information, such as encryption keys, authentication tokens, and stored credentials, from the compromised SharePoint server.</li>
<li><strong>Data Exfiltration:</strong> The attacker uses the webshell to exfiltrate sensitive data from the SharePoint server to an external location.</li>
<li><strong>Lateral Movement:</strong> The attacker leverages the compromised SharePoint server as a pivot point to move laterally within the network, targeting other systems and resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-53770 and deployment of the spinstall0.aspx webshell can lead to complete compromise of the SharePoint server and potentially the entire network. Attackers can steal sensitive data, including confidential documents, employee credentials, and customer information. This can result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker's objectives and the security measures in place.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>SharePoint spinstall0.aspx Webshell GET Request</code> to detect GET requests to the spinstall0.aspx webshell.</li>
<li>Monitor web server logs for requests to URLs matching the pattern <code>*/_layouts/15/spinstall0.aspx*</code>, as indicated in the IOCs, to identify potential webshell activity.</li>
<li>Investigate any alerts generated by the Sigma rule or manual analysis of web server logs to determine the source and scope of the attack.</li>
<li>Patch CVE-2025-53770 on all SharePoint servers immediately to prevent initial exploitation.</li>
<li>Enable comprehensive logging for SharePoint web servers and ensure that all HTTP requests are being captured and forwarded to your SIEM, as described in the &quot;How to Implement&quot; section of the original source.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sharepoint</category><category>webshell</category><category>cve-2025-53770</category><category>t1190</category><category>t1505.003</category><category>t1552</category></item></channel></rss>