CrowdStrike Detects and Blocks Initial SharePoint Zero-Day Exploitation

correlate(
cmd: {
#event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
} include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
pwsh: {
#event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
| aid <=> cmd.aid
| ParentProcessId <=> cmd.TargetProcessId
} include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
aspx: {
#event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/.aspx/i
| aid <=> cmd.aid
| ContextProcessId <=> pwsh.TargetProcessId
} include: [aid, ComputerName, TargetFileName],
sequence=true, within=5m)

Conclusion

CrowdStrike will continue monitoring this threat and update our guidance as new information emerges.

CrowdStrike Falcon Next-Gen SIEM

While we strongly recommend patching SharePoint instances immediately, the Falcon platform provides comprehensive protection through:
As the vulnerabilities discussed target the SharePoint server, ingestion of Microsoft IIS server logs provides a comprehensive view into this emerging threat. CrowdStrike Falcon® Next-Gen SIEM customers are encouraged to ingest IIS logs to gain the necessary visibility and detect malicious actions. Further information about ingesting and parsing this data source is available to customers here. The “Microsoft – IIS – Microsoft Sharepoint ToolShell Exploitation CVE-2025-53770” rule template is currently available to customers who wish to detect possible exploitation attempts specific to CVE-2025-53770. This template leverages the following query to identify instances where malicious URLs are being accessed:
Falcon Exposure Management has had detections for all supported platforms since the vulnerability was initially disclosed. The vulnerability currently has an ExPRT.AI severity rating of “Critical,” with an exploit status of “Actively Used (Critical)” due to confirmed active exploitation in the wild.

#Vendor="microsoft" #event.module="iis" #event.dataset="iis.access" #repo!="xdr*"
| parseUrl(http.request.referrer)
| http.request.method="POST" url.path="/_layouts/15/ToolPane.aspx" url.query="DisplayMode=Edit&a=/ToolPane.aspx" http.request.referrer.path="/_layouts/SignOut.aspx"
| http.response.status_code =~ in(values=[200,302,401])

To identify vulnerable systems, customers can navigate to the Exposure Management > Vulnerability Management > Vulnerabilities page in the CrowdStrike Falcon platform. From there, they can use the Vulnerability ID filter with a value of “CVE-2025-53770” and/or “CVE-2025-53771.” If any of the managed systems are vulnerable, results will be shown here. If they receive the message “No vulnerabilities found,” then all of their managed SharePoint systems have the necessary patches. For any systems found vulnerable, the remediation guidance provided for that system will mention the necessary security updates to apply.