Introduction
The QRadar Detection Engineering Content team, comprised of seasoned red and blue teamers, is responsible for designing and implementing systems to detect cyber-attacks and attacker TTPs. These systems are released as Content Packs through IBM App Exchange and can be downloaded and added to your existing rules for the purpose of detecting specific threats.
In this blog we will highlight a recent vulnerability in the news, CVE-2025-53770, a Microsoft SharePoint zero-day. We will provide a high-level description of the vulnerability, a recent attack utilizing it, and how QRadar SIEM can help you detect it.
CVE-2025-53770
On July 19, Microsoft released an advisory for CVE-2025-53770, a critical Remote Code Execution (RCE) vulnerability affecting on-premises SharePoint servers, which has been exploited in the wild as a zero-day by an unknown threat actor. The vulnerability is an unauthenticated deserialization of untrusted data issue with a CVSS base score of 9.8, classified as Critical. Unauthenticated deserialization of untrusted data happens when software blindly “unpacks” information it got from an unknown or unverified source without first checking if it’s safe. That insecure unpacking can let attackers smuggle in hidden commands that run as soon as the data is opened.
Active Exploitation In the News
This SharePoint 0-day is being actively exploited. Its reported that Chinese state-sponsored hackers have infiltrated over 50 organizations using this exploit including the US National Nuclear Security Administration. Fortunately, no classified nuclear information was compromised, according to the Department of Energy thanks in part to their recent migration to the cloud, as this vulnerability is specific to on-premise instances.
Detection Rules
To enable QRadar users in detecting these types of attacks, two new rules were added to the Endpoint Content Extension pack. The rules were developed by one of our in-house senior detection engineers and utilizes guidance provided by Rapid7 on industry standards for detection rules. Both rules check on-premise logs as, only on-prem SharePoint instances are susceptible to this vulnerability.
Rule #1 checks a known file path utilized in the exploitation of this vulnerability for any files of the type .asp, .aspx, or .js. This rule is designed to catch a method of exploitation that relies on uploading one of these types of files, which can contain executable code, to the known file path template\layout.
Rule 1: PotentialSharepointToolShellCVE-2025-53770Exploitation-FilePath
Rule #2 checks Windows Security Event log and IIS for any PowerShell processes creating a webshell. This method of exploitation creates a privileged shell for the attackers on the local system allowing them to then remotely execute commands and can be chained with the 1st method of exploitation.
Rule 2: PotentialSharepointToolShellCVE-2025-53770Exploitation
Where To Find This Content
As mentioned above, these rules were included in the IBM QRadar Endpoint Content Extension pack version 3.0.0, which can be found in the IBM App Exchange. Install it today to ensure you can detect any attempted exploitation of your on-prem SharePoint instances!
Conclusion
Zero-day attacks exploit previously unknown vulnerabilities, making them extremely difficult to detect and defend against. As cyber threats continue to increase in complexity and frequency, the importance of effective detection engineering cannot be overstated. A well-designed detection system can mean the difference between a minor incident and a catastrophic breach. Effective detection engineering requires a deep understanding of both the attackers' techniques and the organization's own systems and vulnerabilities. Keep an eye out for future blog posts from our experts on the QRadar detection engineering content team.