Cyber threats emerge, with Microsoft and CISA alerting about potential assaults on traditional SharePoint servers located within an organization's infrastructure.
=======================================================================
A critical vulnerability in Microsoft's SharePoint, known as ToolShell (CVE-2025-53770), is currently being exploited by sophisticated threat actors. This vulnerability, which involves unsafe deserialization leading to remote code execution (RCE), was first demonstrated by researchers at Viettel Cyber Security at Pwn2Own.
The Cybersecurity and Infrastructure Security Agency (CISA) was made aware of the exploitation by a trusted partner and immediately reached out to Microsoft to take action. In response, Microsoft has released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771.
The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, according to The Washington Post. Researchers from watchTowr suggest that exploitation may have begun as early as July 16. Google's Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers.
Hackers have already breached dozens of vulnerable systems in at least two attack waves, according to Eye Security researchers. Charles Carmakal, CTO of Mandiant Consulting - Google Cloud, assesses that at least one of the actors responsible for early exploitation is a China-nexus threat actor.
Mandiant provided a comment on the situation to Cybersecurity Dive. More than 1,100 vulnerable servers have been detected, including some belonging to K-12 school districts and universities. The Multi-State Information Sharing and Analysis Center has notified over 150 state and local government agencies about the vulnerability.
Carmakal warns that multiple actors are now actively exploiting this vulnerability, and additional hackers with diverse motives are likely to engage in similar activity. The vulnerability allows a malicious adversary to gain full access to SharePoint content, including file systems and internal configurations.
Recommended mitigations
Organizations with internet-exposed SharePoint servers should assume compromise and take immediate action. The recommended mitigations are:
- Apply Microsoft’s emergency patches immediately for CVE-2025-53770 and CVE-2025-53771 released for SharePoint Server Subscription Edition and SharePoint Server 2019.
- Rotate ASP.NET machine keys (ValidationKey and DecryptionKey) on SharePoint servers and restart IIS to invalidate forged VIEWSTATE tokens used by attackers for persistence.
- Perform active threat hunting and forensic investigation for known indicators of compromise, including POST requests to /layouts/15/ToolPane.aspx?DisplayMode=Edit with spoofed Referer /_layouts/SignOut.aspx, deployment of web shells such as spinstall0.aspx, and anomalous VIEWSTATE activity.
- Update intrusion prevention systems and Web Application Firewall (WAF) rules to detect/block exploit payloads and behavior patterns targeting these SharePoint services.
- Consider virtual patching via WAF managed rulesets if patching is delayed or not possible immediately.
Microsoft is working with CISA to help notify potentially impacted entities about recommended mitigations. Shadowserver is tracking 9,300 exposed IPs and is collaborating with watchTowr and Eye Security to notify affected customers. Researchers at Eye Security first disclosed the flaw on Saturday and have scanned over 8,000 SharePoint servers worldwide.
[1] Microsoft Security Response Centre Blog [2] CISA Alert [3] Eye Security Report [4] Palo Alto Networks Unit 42 Report
Read also:
- Top 46 Significant Tech Firms Based in Toronto
- U.S. 2022: Highest Ranking Computer and Electronic Product Manufacturers Presented (Slideshow)
- Humanity's imminent progress into the realm of quantum science signifies a significant advancement that could have far-reaching implications for planet Earth.
- "Experts in cybersecurity discuss the potential of the Common Vulnerabilities and Exposures (CVE) program operating independently from government control"
