Ethical Hacking News
A global cybersecurity nightmare has unfolded as government-backed hackers exploit a previously undisclosed vulnerability in Microsoft's SharePoint Server, leaving hundreds of thousands of organizations potentially vulnerable to attack. As the situation continues to unfold, security experts are sounding the alarm on the potential for further exploitation and the need for immediate action.
A major security snafu has hit Microsoft, with a zero-day bug in SharePoint Server being exploited by government-backed hackers.The vulnerability allows attackers to gain unauthorized access to sensitive data and execute code over the network.The affected versions include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.Nation-state actors are likely involved in the attack, which has already had a significant impact across hundreds of organizations worldwide.The attack highlights the ongoing threat posed by zero-day vulnerabilities and the need for businesses and governments to remain vigilant.
A major security snafu has hit Microsoft, and it's not the first time this year. A zero-day bug in SharePoint Server, which was left unfixed by Redmond, has been exploited by government-backed hackers to gain unauthorized access to sensitive data across the globe. The flaw, CVE-2025-53770, is a variant of a previously disclosed vulnerability, CVE-2025-49706, which Microsoft attempted to patch in its July Security Update.
The attack vector involves a critical, 9.8-rated remote code execution vulnerability that allows attackers to fully take over SharePoint Servers, including file systems and internal configurations, and execute code over the network. According to security researchers, once inside, attackers can exfiltrate sensitive data, deploy persistent backdoors, and steal cryptographic keys.
The vuln affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Notably, as of Monday, 2016 still doesn't have a fix. Microsoft has warned that it is "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update."
Security experts believe that all signs point to another nation-state attack. The nature of this campaign — stealthy, highly targeted, and aimed at government and telecom sectors — strongly suggests the work of a nation-state actor and points to a broader espionage effort.
"Microsoft's ubiquity in enterprise environments makes it an attractive target for adversaries seeking covert access to sensitive systems," said Lotem Finkelstein, director of threat intelligence at Check Point Research. "This isn't about weak security standards. It's about the strategic value of compromising the most widely used platforms."
In fact, the attack has already had a significant impact across hundreds of organizations worldwide, including those considered highly sensitive such as government, education, and critical infrastructure.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on the ToolShell attacks, added the CVE to its Known Exploited Vulnerabilities catalog, and instructed all US federal civilian executive branch agencies to identify potentially affected systems and apply mitigations by July 21. The UK's National Cyber Security Centre (NCSC) has also disclosed a "limited number" of British organizations under attack.
However, it seems that the attackers have already stolen sensitive information from governments, telecommunications, education, critical infrastructure, and software companies across the globe.
"We're fairly certain it's for once acceptable to call this a close-to-worst-case scenario," said Ryan Dewhurst, head of proactive threat intelligence at WatchTowr. "Initial scans began hitting the internet on July 16, by July 17 and 18, exploitation was in full swing, prompting Microsoft's official public advisory on July 19."
The attack has also raised concerns about the global impact of this vulnerability, with Qualys noting a Fofa search revealed more than 205,000 targets, indicating hundreds of thousands of potentially vulnerable instances.
As for who is behind the attacks, while it seems that nation-state actors are likely involved, the exact identity remains unclear. However, security experts agree that all signs point to another espionage effort.
The attack highlights the ongoing threat posed by zero-day vulnerabilities and the need for businesses and governments to remain vigilant in the face of these types of exploits.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Cybersecurity-Nightmare-The-Widespread-Exploitation-of-a-SharePoint-Zero-Day-Vulnerability-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/07/21/massive_security_snafu_microsoft/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Mon Jul 21 17:06:41 2025 by llama3.2 3B Q4_K_M
