Malicious Hackers Exploit SharePoint Zero-Day

Posted on By Finstein.ai No Comments on Malicious Hackers Exploit SharePoint Zero-Day

Active attacks on CVE-2025–53770 hit U.S. agencies and firms, installing Tool Shell backdoor for data theft
July 2025

Microsoft has released an emergency security update to fix an actively exploited vulnerability in SharePoint Server, tracked as CVE-2025–53770. The flaw is reportedly being used in real-world attacks to compromise U.S. federal agencies, universities, and energy firms.

Vulnerability Overview

  • CVE-2025–53770 affects on-premises SharePoint Servers only — Microsoft 365 and SharePoint Online are not impacted.
  • It is a variant of an earlier vulnerability (CVE-2025–49706) which Microsoft attempted to patch on July 8, 2025.

Exploitation Details

  • Attackers are using the flaw to implant a backdoor named “ToolShell” that grants unauthenticated remote access to SharePoint servers.
  • ToolShell allows attackers to access internal files, configurations, and execute arbitrary code.
  • Researchers at Eye Security first detected large-scale exploitation on July 18, confirming dozens of server breaches.

Critically, attackers are targeting and extracting ASP.NET machine keys, which can be reused for future attacks. According to Eye Security, patching alone is insufficient organizations must rotate machine keys and restart IIS immediately.

Global Concern

  • The Cybersecurity & Infrastructure Security Agency (CISA) confirmed the active exploitation and urged immediate mitigation.
  • CISA recommends enabling AMSI, deploying Microsoft Defender AV, and disconnecting servers from the internet until patched.
  • Canada and Australia are reportedly assisting the U.S. in the investigation.

Related Vulnerabilities

  • CVE-2025–53770 is part of a broader exploit chain seen in the Pwn2Own 2025 competition, involving CVE-2025–49704 and CVE-2025–49706.
  • Microsoft has also released a patch for CVE-2025–53771, which is not currently under active attack, but is intended to strengthen overall defenses.

Microsoft has provided updates for SharePoint Server Subscription Edition and SharePoint Server 2019, with additional patches for other versions still pending.

Don’t wait for a breach. Secure your systems today , stay protected always.

praveen@finstein.ai | www.cyber.finstein.ai

Source : Microsoft Fix Targets Attacks on SharePoint Zero-Day — Krebs on Security

#CyberSecurity#ZeroDay#SharePointExploit#CVE202553770#ToolShell#MicrosoftSecurity#DataBreach#InfoSec#CISAAlert#VulnerabilityAlert#PatchNow#CyberAttack#SecurityUpdate#NetworkSecurity#CriticalVulnerability#EyeSecurity#EmergencyPatch#APTAttack#SecurityBreach#CyberThreats

Hacker

Related Posts

Chinese Hackers Exploit SharePoint Flaws in ‘Project AK47’ Campaign Hacker
North Korean Hackers Launch NPM Supply Chain Attack Hacker
Vietnamese Hackers Run Global Data Theft Campaign Hacker
Hacktivists Disrupt Russia’s Aeroflot Airline Hacker

Leave a Reply

Your email address will not be published. Required fields are marked *