SharePoint Server Remote Code Execution Exploits

🚨 85 orgs breached. No patch. No warnings. Just silence. Microsoft SharePoint is under active attack—CVE-2025-53770 enables unauthenticated remote code execution using stolen MachineKeys and weaponized __VIEWSTATE payloads. ToolShell chaining makes this the most dangerous SharePoint exploit since CVE-2019-0604. ☠️ Governments and global enterprises already compromised. 👀 Your server could be next—and traditional MFA won’t help. 🔎 Full threat breakdown, mitigation roadmap, IOCs, and threat hunting queries inside. This is the kind of vulnerability that reshapes policy. Read it before the threat actors do. #CyberSecurity #SharePoint #ZeroDay #RCE #ThreatIntelligence #Infosec #Microsoft #vulnerability #BlueTeam #RedTeam 👇Click below to read full article 👇

⚠️ Google Threat Intelligence Group is tracking active exploitation of a SharePoint Zero-Day vulnerability. Tonight, Microsoft released CVE-2025-53770 to track a critical, unpatched vulnerability in on-premise SharePoint servers that is being actively exploited. GTIG has observed threat actors using this flaw to install webshells and exfiltrate cryptographic MachineKey secrets from victim servers. The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching. Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat. There is no patch available yet. Here are the immediate actions for any organization running on-premise SharePoint: 🛡️ 1. Apply Mitigations: Microsoft's primary mitigation is to configure the AMSI integration with SharePoint and ensure Microsoft Defender AV is active. If you cannot, consider disconnecting SharePoint from the internet until a patch is available. 🔎 2. Hunt for Compromise: Actively search for webshells in SharePoint directories. The presence of a webshell is a definitive sign of compromise. 🔑 3. Rotate Keys if Compromised: If you find evidence of compromise, you must isolate the server and rotate the SharePoint MachineKey. Simply removing the webshell is not enough. The attacker already has the keys, and rotating them is the only way to invalidate their access. #SharePoint #CyberSecurity #ThreatIntel #InfoSec #0day #CVE #GTIG

🚨 Assume Breach. Even If You See Nothing. 🚨 A wave of attacks is hitting Microsoft SharePoint, exploiting CVE-2025-53770. This isn’t just another vulnerability, it’s a critical, unauthenticated remote code execution (RCE) flaw under active, surgical exploitation. Patches dropped on July 20 and July 21 for SharePoint Subscription Edition and 2019 and SharePoint 2016. CISA added it to the KEV catalog, and a good amount of servers are already compromised. Your SIEM or XDR might be quiet, but that doesn’t mean you’re safe. The vulnerability ties back to the “ToolShell” exploit chain (CVE-2025-49704 and CVE-2025-49706), showcased at Pwn2Own Berlin in May 2025. Huge props to Viettel Cyber Security for their responsible disclosure through Trend Zero Day Initiative. At Trend Micro, our TippingPoint protections, rolled out in May for related flaws, have been shielding against CVE-2025-53770 attacks using the power of the bug bounty program integrated in Tipping Point threat intelligence. But protection is only step one. Here’s the hard truth: Threat actors are already inside networks, using this as a foothold to steal credentials, plant backdoors, and move laterally. These attacks are stealthy, blending seamlessly into normal SharePoint activity. You usually won’t spot them in standard logs, and ransomware isn’t the immediate goal—persistence is. If you’re not hunting for trouble, you’re already behind. This isn’t a “patch and move on” moment. It’s a “drop everything and investigate” moment. Run memory forensics. Hunt for post-exploitation signs like spinstall0.aspx in your Web Server Extensions folder. Scrutinize SharePoint config files, check for webshells, and dig into proxy logs for suspicious POST requests to /_layouts/15/ToolPane.aspx. Act now, or you’re giving attackers free rein. Trend Micro has detailed technical guidance and IOCs out, and we’re working closely with partners to track these exploitation patterns. If you need help gauging your exposure or want to strengthen detection, prevention, or response, let’s connect.

Last week's announcement by Microsoft of a critical SharePoint zero‑day (CVE‑2025‑53770, CVSS of 9.8) carries several important lessons. 1️⃣ Patched != fixed. In this case, CVE-2025-53770 appears to be a patch bypass of a vulnerability previously announced, CVE-2025-49704 (CVSS of 8.8), as patched in July 2025. 2️⃣ Chaining multiple low, medium, and / or high vulnerabilities can result in a critical exposure. The previous vulnerability, CVE-2025-49704, was part of an exploit chain involving an authentication bypass (CVE-2025-49706, CVSS of 6.5), and a deserialization of untrusted data vulnerability (CVE-2025-49704) to achieve unauthenticated remote code execution (RCE). 3️⃣ Ongoing testing matters—even for decades‑old apps. This latest incident is a powerful reminder that legacy systems aren’t “safe” just because they've been around for years. In cybersecurity, the ground is always shifting. Attackers rapidly weaponized known weaknesses by chaining together bugs even after patches were released. Threat actors are innovating by bypassing existing patches, highlighting deficiencies in initial fixes. And many organizations still run this vulnerable version of on‑prem SharePoint—software that’s over a decade old—because it's deeply embedded in critical workflows. Advice for cyberdefenders: ➡️ Adopt continuous security testing. Don’t rely solely on patch Tuesday—use red‑teaming, fuzzing, and third‑party pentests, especially for legacy systems. ➡️ Prioritize rapid patching and layered defenses. For example, in this case, apply updates immediately, enable AMSI in full mode, use Defender AV/Endpoint, and rotate ASP.NET machine keys. ➡️ Monitor & respond as if breached. Assume compromise on exposed servers, hunt for indicators like unauthorized .aspx files, rotated keys, and odd IIS behavior. ➡️ De‑risk old infrastructure. Where possible, migrate legacy workloads to cloud-native platforms or implement strict isolations and network controls. In today’s threat landscape, age doesn’t grant immunity. Decades-old apps can harbor fresh risks. A strategy of continuous validation, layered controls, and proactive assumption of compromise is essential to stay ahead of agile adversaries. #CyberSecurity #SharePoint #ZeroDay #LegacySystems #InfoSec #DevSecOps

Signature-based detection is a relic. The SharePoint "ToolShell" breach is one of the most important case studies this year for why threat detection needs to evolve. Last week, Microsoft issued an emergency fix for CVE-2025-53770, a zero-day vulnerability in on-prem SharePoint servers. Attackers used custom exploit code to gain unauthenticated remote code execution, steal ASP.NET machine keys, and install a modular post-exploitation framework now referred to as ToolShell. The scope is serious-victims include U.S. federal agencies, universities, and major enterprises. Even more concerning: patching may not be enough. If an attacker has already stolen your machine keys, they can maintain access even after updates are applied. This breach highlights a few key realities: 👉 Exploits are increasingly built to evade signature-based detection. 👉 Post-compromise persistence is getting harder to spot, especially in large hybrid environments. 👉 Timely patching is necessary, but no longer sufficient on its own. What's needed is broader visibility and more adaptive detection. The best security teams I know are rethinking their approach to threat hunting. Instead of waiting for alerts, they’re proactively investigating for signs of abuse, especially in gray zones like unusual API behavior, lateral movement, or anomalous key usage. These are hard problems to solve with traditional tools. You need correlation across systems, behavioral context, and the ability to respond faster than human triage alone allows. Whether that’s supported by smarter automation, detection engineering, or emerging AI capabilities, the direction of travel is clear: we’re moving toward more continuous, contextual threat detection. ToolShell won’t be the last reminder. But it’s a timely one.

Bitdefender Labs and MDR teams confirm active, widespread exploitation of CVE-2025-53770 in on-premises Microsoft SharePoint Server. Immediate action to take: - Apply emergency patches (KB5002754 for SharePoint 2019, KB5002768 for Subscription Edition; 2016 patch pending) - Rotate ASP.NET Machine Keys Edge network device exploits serve as a "beachhead" for follow-up attacks like ransomware (days or weeks later). We've tracked record ransomware activity to single vulnerabilities exploited months prior, demonstrating this pattern. Read the full technical advisory for IoCs and detailed guidance: https://lnkd.in/ed_SHiq6

What Does Cybereason Know So Far: May 2025 �� At Pwn2Own Berlin, Viettel Cyber Security demonstrated a chained SharePoint attack (ToolShell) using CVE-2025-49704 (deserialization RCE) and CVE-2025-49706 (auth bypass). July 9, 2025 (Patch Tuesday) – Microsoft released fixes for CVE‑2025‑49704 and CVE‑2025‑49706. July 14, 2025 – CODE WHITE GmbH reproduced the ToolShell exploit chain. July 18, 2025 – Eye Security observed active exploitation of SharePoint servers, initially attributing it to the previous CVEs. Evening of July 18 – Eye Security began investigating and discovered it was a new zero‑day. July 20, 2025 – Microsoft officially acknowledged active attacks and assigned CVE‑2025‑53770, adding it to CISA’s Known Exploited Vulnerabilities catalog. July 20–21, 2025 – Microsoft released emergency patches for SharePoint Server Subscription Edition and 2019; patches for SharePoint 2016 still developing. July 21, 2025 – Cybereason is monitoring globally protected clients through our MDR services and are witnessing follow-on threat actors beginning to leverage a variety of webshells and varying attack patterns to move through the Cybereason Intrusion Path. Recommendations below in comments...

Still have an on-premise SharePoint Server? Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. CISA recommends the following actions to reduce the risks associated with the RCE compromise:  - For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment. - Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit - Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025. - Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation. - Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection. - Audit and minimize layout and admin privileges.