A critical zero-day vulnerability named ToolShell (CVE-2025–53770) | LestDefend
Alert of the lestdefend SIEM we need to resolve the cyberexercise.
Press enter or click to view image in full size
Tools: Virus total, AbuseIP and lestdefend tools for research.
CVE
Common Vulnerabilities and Exposures (CVE) is a standardized, industry-wide, public dictionary of identified cybersecurity vulnerabilities in software and hardware
CVE-2025–53770
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025–53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
information of the alert
EventID :
320
Event Time :
Jul, 22, 2025, 01:07 PM
Rule :
SOC342 — CVE‑2025‑53770 SharePoint ToolShell Auth Bypass and RCE
Level :
Security Analyst
Hostname :
SharePoint01
Source IP Address :
107.191.58.76
Destination IP Address :
172.16.20.17
HTTP Request Method :
POST
Requested URL :
/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
User-Agent :
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Referer :
/_layouts/SignOut.aspx
Content-Length :
7699
Alert Trigger Reason :
Suspicious unauthenticated POST request targeting ToolPane.aspx with large payload size and spoofed referer indicative of CVE-2025–53770 exploitation.
Device Action :
Allowed
Now we have the good information like source IP and destination IP address for research more information.
Looking for information about the malicious IP I can get a comunity comments and its country is so easy when you use tools that analyzes IP, files , URLS and domains.
Virus Total:
Press enter or click to view image in full size
Abuse IP
Now we need to do the playbook of our company for this type of alerts.
1- Collect Data
You can get this information in virus total, talos inteligent and abuse ip ther are many tools like these, but I like to work with these tree.
2- Examine HTTP Traffic
We need to research on the tool calls Log management that simulate a SIEM.
I filter for Source IP address 107.191.58.76:
Maliciuos.
Type of attack
Press enter or click to view image in full size
Command injections.
I research about this cve in this web:
Understand the SharePoint RCE: Exploitations, Detections, and Mitigations | Akamai
Get an in-depth look at the Microsoft SharePoint vulnerability, the exploitation activity, and Akamai's detection and…
I can understand that attacker (Hackers) can try to exploit a vulnerability in ToolPane.aspx path causing a RCE Remote command Execution.
By accessing the deployed malicious endpoint, attackers can extract the cryptographic secrets needed to sign serialized payloads (Figure 2).
Check email
Press enter or click to view image in full size
Not Planned.
If you can see the source IP where does the request is malicious, we can see in virus total and abuse IP so I think that Penterters uses malicious IP to simulate a CVE explotation in an important server.
Direction of traffic
Press enter or click to view image in full size
Outsite to inside.
In this case Internet to Company Network you need to looking for here:
Press enter or click to view image in full size
The Source IP address is outside of our network in other words Internet, The Destions IP address is our server so Company network.
Investigate the attack
Press enter or click to view image in full size
If you see the siem content or Log management you can see a unique log but if you research in the endpoint security and filter for our IP you can see a command line with vectors atacks or IOC(Indicator of compromise).
Press enter or click to view image in full size
IOC
answer: Yes
After you know the attack was success you need to contain the endpoint since this can infected another one enpoint and try to scalate privilige in the network.
Press enter or click to view image in full size
Add Artifacts
Press enter or click to view image in full size
Here we need to put ours IOC.
Press enter or click to view image in full size
This is my coment or Analyst Note. Before this I scale the alert for level 2 soc for better analyze.
Press enter or click to view image in full size
Now we need to close the alert.
Reflexion
Press enter or click to view image in full size
I have a feal, Since I thought that the type of attack was command injection but not beacuse this type of attack refer another thing. RCE is different type of attack you can research and learn with me for obtain better note.
I goint to do this type of analysis every day since is a good form to practice blue team and soc.