Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreias7a5wsstjahaxejmf5yxv4cx7vlofmqzu7stbsfxjcwog6j4x3q",
    "uri": "at://did:plc:iir655mcoipvnewhnkv6fb3u/app.bsky.feed.post/3meiksc4kpbg2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreidzhnv2t75motollxreehvmokt2mnqhckfpuviodsq3ynjlldarz4"
    },
    "mimeType": "image/png",
    "size": 31727
  },
  "path": "/resources/blog/what-cve-2025-53770-teaches-us-about-zero-day-reality-and-ransomware-routine",
  "publishedAt": "2026-02-10T08:35:48.000Z",
  "site": "https://binarydefense.com",
  "tags": [
    "link"
  ],
  "textContent": "\nCVE-2025-53770 is a critical SharePoint RCE flaw. The goals certainly don’t. The Exploit Chain: Familiar Steps, Different Stage At its core, CVE-2025-53770 abuses how SharePoint handles WebParts, specifically how it deserializes compressed data embedded in payloads targeting endpoints like /ToolPane.aspx. The process is as follows: Initial Access via WebPart Injection A malicious HTTP POST is sent to a WebPart-enabled ASPX page (not just ToolPane.aspx, any page with a WebPartZone will do, like /SitePages/test.aspx). Deserialization and Execution SharePoint processes the payload using LosFormatter or BinaryFormatter, invoking the deserialization sink and executing arbitrary code, typically starting with a LOLBin (cmd.exe, powershell.exe, mshta.exe). Neither Have the Outcomes On July 22, 2025, Microsoft published an article attributing attacks on SharePoint server leveraging CVE-2025-53770 to Chinese nation-state groups Linen Typhoon and Violet Typhoon. While CVE-2025-53770 hasn’t yet been tied to ransomware (yet), it lines up nicely to ransomware operator objectives: Privileged access to enterprise data repository Privileged access to a domain-joined Microsoft Windows server Remote Command Execution We don’t need to look back too far to see how the use of this exploit will likely play out. However, within weeks of public disclosure and tooling release, the same attack paths were rapidly adopted by ransomware groups and access brokers. Don’t Play Whack-a-CVE for Detections Many orgs initially focused detections on: Requests to /ToolPane.aspx Dropped files like /LAYOUTS/spinstall0.aspx Referer headers spoofing /SignOut.aspx However, based on testing within ARC Labs, there is some assumed brittleness to these detections. Attackers don’t need new tools because defenders are still slow to learn the old ones. We’ve known for years that: Sharepoint, Exchange, and other Windows based web enabled services are high value targets Deserialization is a risky and recurring attack vector ViewState is abusable when secrets are compromised Initial access is more about exploiting behavior than code None of this is new. Ransomware actors, APTs, and access brokers don’t need cutting-edge tactics.",
  "title": "What CVE-2025-53770 Teaches Us About Zero-Day Reality and Ransomware…"
}