Blog Post

Azure Network Security Blog
2 MIN READ

Protect against SharePoint CVE-2025-53770 with Azure Web Application Firewall (WAF)

yuvalpery's avatar
yuvalpery
Icon for Microsoft rankMicrosoft
Aug 11, 2025

Summary

Microsoft recently disclosed CVE-2025-53770, a critical vulnerability affecting on-premises SharePoint Server versions 2016, 2019, 2010, 2013, and Subscription Edition (SE). The vulnerability allows unauthenticated remote code execution (RCE) by chaining two separate CVEs:

  • CVE-2025-49706 – Authentication Bypass
  • CVE-2025-49704 – Deserialization Vulnerability

Microsoft has released security updates for SharePoint Server 2016, 2019, and SE. Versions 2010 and 2013 are out of support and will not receive patches, leaving them exposed.

If exploited, this vulnerability could allow an attacker to bypass authentication, extract cryptographic keys, and execute arbitrary C# code on the server.

Technical details

On-premises SharePoint Servers are enterprise-grade collaboration platforms that organizations install and manage on their own infrastructure, typically in their data centers.

The attack chain for CVE-2025-53770 involves the following steps:

  1. CVE-2025-49706 – Authentication Bypass
    The attacker sends a crafted POST request targeting the endpoint:/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with a malicious Referer value:/_layouts/SignOut.aspxThis manipulates SharePoint into trusting the request and its payload.
  2. CVE-2025-49704 – Deserialization Vulnerability
    The attacker then sends a POST request with a serialized spinstall0.aspx payload, designed to extract MachineKey values from web.config.
    These keys are then used to craft a serialized C# code payload embedded in a valid __VIEWSTATE, which SharePoint trusts and executes.

Microsoft guidance

We strongly recommend following Microsoft's official mitigation steps outlined in the MSRC blog:
Customer guidance for SharePoint vulnerability CVE-2025-53770 | Microsoft Security Response Center

See the “How to protect your environment” section for patching guidance, configuration updates, and additional mitigation strategies.

Protecting with Azure Web Application Firewall

You can create a custom rule to help detect and block suspicious requests matching known indicators of this attack.

Example WAF custom rule:

  • Condition 1: URI contains / _layouts/15/ToolPane.aspx or / _layouts/15/spinstall0.aspx
  • Condition 2: Referer header contains / _layouts/SignOut.aspx or / _layouts/15/SignOut.aspx

JSON view

"customRules": [ { "name": "CVE202553770", "priority": 100, "ruleType": "MatchRule", "action": "Block", "matchConditions": [ { "matchVariables": [ { "variableName": "RequestUri" } ], "operator": "Regex", "negationConditon": false, "matchValues": [ "(?i)/_layouts(?:/\\d+)?/(SignOut|spinstall0|ToolPane)\\.aspx" ], "transforms": [] }, { "matchVariables": [ { "variableName": "RequestHeaders", "selector": "Referer" } ], "operator": "Regex", "negationConditon": false, "matchValues": [ "(?i)/_layouts(?:/\\d+)?/(SignOut|spinstall0|ToolPane)\\.aspx" ], "transforms": [] } ], "skippedManagedRuleSets": [], "state": "Enabled" } ]

 

Next steps

  • Patch immediately: Apply Microsoft’s updates for SharePoint 2016, 2019, and SE.
  • Isolate legacy systems: SharePoint 2010 and 2013 remain vulnerable—consider restricting network access or migrating to supported versions.
  • Deploy WAF protections: Add the custom rule above to monitor and block suspicious traffic targeting vulnerable endpoints.

You can find more information about Custom Rules on Azure WAF for Application Gateway here  or for Azure Front Door here.

For more on Azure WAF, see:
Azure Web Application Firewall documentation

Updated Aug 11, 2025
Version 2.0
No CommentsBe the first to comment