LetsDefend Monitoring Alert

CVE‑2025‑53770 SharePoint ToolShell Auth Bypass and RCE

Jul, 22, 2025, 01:07 PM

Event ID: 320

Event Time: Jul, 22, 2025, 01:07 PM

Rule Name: SOC342 - CVE‑2025‑53770 SharePoint ToolShell Auth Bypass and RCE

Alert Type: Web Attack

MITRE Technique:
T1078 - Initial Access - Valid Accounts,
T1190 - Initial Access - Exploit Public-Facing Application,
T1087 - Discovery - Account Discovery,
T1057 - Discovery - Process Discovery,
T1047 - Execution - Windows Management Instrumentation,
T1204.002 - Execution - User Execution: Malicious File,
T1083 - Discovery - File and Directory Discovery,
T1016 - Discovery - System Network Configuration Discovery,
T1082 - Discovery - System Information Discovery,
T1059.003 - Execution - Command and Scripting Interpreter: Windows Command Shell,
T1505.003 - Persistence - Server Software Component: Web Shell,
T1049 - Discovery - System Network Connections Discovery,
T1569.002 - Execution - System Services: Service Execution,
T1033 - Discovery - System Owner/User Discovery,
T1543.003 - Persistence - Create or Modify System Process: Windows Service,
T1518 - Discovery - Software Discovery,

Real World Example:A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments.

Severity: Critical

Security Analyst

2025 © LetsDefend

45305 Catalina ct. Suite 150, Sterling VA 20166