These vulnerabilities have been reported to impact the following ON-PREMISE versions of Microsoft SharePoint:

• SharePoint Subscription Edition
• SharePoint Server 2019
• SharePoint Server 2016

The online (SaaS) version of SharePoint is not reported to be affected at this time.

 

 

Trend Micro Investigation, Protection and Detection Against Exploitation

First and foremost, it is always recommended that administrators apply the official vendor-specific patches when they are available. For this specific case, in addition to the Microsoft July 2025 Security Update, Microsoft has issued new emergency Out-of-Band updates to address the new vulnerability bypasses. Customers are strongly encouraged to apply these updates and closely follow any additional guidance in Microsoft's Customer Guidance for SharePoint Vulnerability article.

In addition to the Microsoft security updates that should be applied, Trend Micro has also released some updates, proactive rules and filters that can help provide additional protection against these exploits as well as some tools that can be used by customers to investigate potential exposure to vulnerabilities.

Customers are also encouraged to view Trend Micro's recorded webinar: Dealing with the fallout of a failed SharePoint patch. Are you protected? for more information on protection.

Trend Vision One™ 

Time-Critical Vulnerability

Trend Micro has added a Time-Critical Vulnerability alert in the Vision One Executive Dashboard that will be continually updated with additional information related to prevention and detection as it becomes available.

 

Threat Insights

Trend Vision One Threat Insights provide threat intelligence curated by Trend Micro experts that administrators can base critical security decisions on with timely reports on emerging threats. 

 

 

Search Query

Customers may utilize the General Search Query function in Vision One to do some preliminary investigation of potential exposure by utilizing the following queries:

 

Specific Detection for In-the-Wild Exploit for CVE-2025-53770

(eventSubId:101 AND objectFilePath:*TEMPLATE\\LAYOUTS\\spinstall0.aspx*)

(eventSubId:901 AND objectRawDataStr:*TEMPLATE\\LAYOUTS\\spinstall0.aspx*)

 

Generic Detection for Potential Exploitation for CVE-2025-53770

(eventSubId:901 AND objectRawDataStr:(*$base64String* AND *$destinationFile* AND *$decodedBytes* AND *$decodedContent* AND *\\TEMPLATE\\LAYOUTS* AND *.aspx*))

 

Utilizing Observed Attack Techniques (OAT)

Vision One customers that use Trend Micro endpoint and server protection products may go into the Observed Attack Techniques section of the Vision One console to look for suspicious activity that may indicate the detection of malicious behavior associated with this threat. 

Potential indicators include:

• Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49704, CVE-2025-53770, CVE-2025-53771)
• Actively Exploited Vulnerability (CVE-2025-49704) - Blocked
• Actively Exploited Vulnerability (CVE-2025-49706) - Blocked
• Actively Exploited Vulnerability (CVE-2025-49704)
• Actively Exploited Vulnerability (CVE-2025-49706)
• CVE-2025-53770 SharePoint Deserialization Exploit HTTP (Request) - Inbound
• CVE-2025-53770 SharePoint Deserialization Exploit HTTP (Request) - Outbound

 

Trend Vision One Endpoint Security 

Trend Vision One - Endpoint Security, Deep Security & Vulnerability Protection IPS Rules

• 1012390 - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2025-49706 and CVE-2025-53771)

 

Trend Vision One Network Security

TippingPoint and Trend Cloud One - Network Security Filters

• 46160: HTTP: Microsoft SharePoint Insecure Deserialization Vulnerability - addresses CVE-2025-49706 & 53771
• 45905: PWN2OWN ZDI-CAN-27162: Zero Day Initiative Vulnerability (Microsoft SharePoint) - addresses CVE-2025-49706 & 53771
• 45906: PWN2OWN ZDI-CAN-27247: Zero Day Initiative Vulnerability (Microsoft SharePoint) - addresses CVE-2025-49704 & 53770

Note: Filters 45905 and 45906 have offered protection in default configuration since May 20, 2025, while 46160 has offered protection since July 8, 2025.

 

Trend Micro Deep Discovery Inspector (DDI) Rules

• 5446: CVE-2025-53770 - SharePoint Deserialization Exploit - HTTP (Request)

 

Patterns, Models, Signatures

Trend Micro Endpoint & Server Malware Pattern (VSAPI) Detection

Trend Micro products that utilize different pattern, behavior monitoring and other advanced detection technology can also detect and protect against the following known malicious components associated with in the wild exploits:

• HS_WEBSHELL.SMTHGBABE  (Smart Scan Agent Pattern 20.341)
• Trojan.ASP.WEBSHELL.SMTHGBABE (Smart Scan Agent Pattern 20.341)
• Trojan.MSIL.WEBSHELL.SMTHGBABE  (Smart Scan Agent Pattern 20.343)
• Trojan.ASP.WEBSHELL.SMASP.aggr (Smart Scan Agent Pattern 20.343)
• HS_WEBSHELL.SMPS1 (Smart Scan Agent Pattern 20.343)
• Trojan.Win64.KILLAV.I  (Smart Scan Agent Pattern 20.353)
• Trojan.Win64.KILLAV.SMI  (Smart Scan Agent Pattern 20.353)
• Trojan.BAT.KILLAV.H  (Smart Scan Agent Pattern 20.353)
• HackTool.Win64,Mimikatz.ZTKE (Smart Scan Agent Pattern)
• HackTool.MSIL.YSoSerial.SM (Spyware Active-Monitoring Pattern 2.855.00)
• FLS.ISB.5788T (Pre-existing Behavior Monitoring Dettection) 
• AG.SEN5945S (Behavior Monitoring Detection Pattern 4385)
• AG.PENT5909T (Behavior Monitoring Detection Pattern 4385)
• PENT4836T (Behavior Monitoring Detection Pattern 4387)
• ATM.SYS.4230T (Behavior Monitoring Detection Pattern 4393)
• 4297T (Behavior Monitoring Detection Pattern 4393)
• 4524T (Behavior Monitoring Detection Pattern 4393)
• Fileless.AMSI.MalASPXDownloader.SMA.aggr (Advance Threat Correlation Pattern 1.547.00)
• FLSourcing.AMSI.MalASPXDownloader.SMA (Advance Threat Correlation Pattern 1.547.00)

 

Trend Micro Web Reputation Services (WRS) 

Trend Micro is also blocking several known C&C server and Disease Vector IPs and domains known to be associated with these exploits.

 

This article will continually be updated as new information is available.