Ethical Hacking News
Critical Unpatched SharePoint Zero-Day Actively Exploited: A Global Threat Looms. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3). The vulnerability has been exploited through deserialization of untrusted data in on-premises Microsoft SharePoint Server.
A critical security vulnerability in Microsoft SharePoint Server has been weaponized, leaving 75+ global organizations on high alert. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), allows an unauthorized attacker to execute code over a network through deserialization of untrusted data. The vulnerability is being used by attackers to deliver ASPX payloads via PowerShell, which are then used to steal the SharePoint server's MachineKey configuration. Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 but acknowledged the issue and stated it's preparing a comprehensive update. Customers are urged to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.
A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign, leaving 75+ global organizations on high alert. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.
According to Eye Security, a cybersecurity company, the zero-day flaw in SharePoint allows an unauthorized attacker to execute code over a network through deserialization of untrusted data in on-premises Microsoft SharePoint Server. This vulnerability has been dubbed "ToolShell" and is being used by attackers to deliver ASPX payloads via PowerShell, which are then used to steal the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey.
These keys are crucial for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity. The Dutch cybersecurity company has warned that this exploit chain is being used by attackers to facilitate arbitrary command execution on susceptible instances of SharePoint Server.
Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation, but the company has acknowledged the issue and stated that it's preparing a comprehensive update to resolve the problem. The Windows maker credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro's Zero Day Initiative (ZDI).
In response to this vulnerability, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers. For those who cannot enable AMSI, it's advised that the SharePoint Server be disconnected from the internet until a security update is available.
The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 to facilitate arbitrary command execution on susceptible instances. The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey.
The impact of this vulnerability is significant, with Eye Security warning that adversaries are laterally moving using this remote code execution with speed. "We are still identifying mass exploit waves," said Piet Kerkhofs, CTO of Eye Security. "This will have a huge impact as adversaries are laterally moving using this remote code execution with speed."
In total, almost 75 organizations have been breached, including big companies and large government bodies across the world. The attack is believed to be related to CVE-2025-53770, which is a variant of CVE-2025-49706.
The use of PowerShell in these attacks highlights the growing threat of supply chain attacks, where attackers exploit vulnerabilities in software or libraries used by developers. In this case, the vulnerability has been exploited through deserialization of untrusted data in on-premises Microsoft SharePoint Server.
As organizations scramble to patch their systems and prevent further exploitation, it's clear that this vulnerability is a wake-up call for many. The rapid spread of attacks like ToolShell underscores the need for organizations to prioritize security and keep their software up to date.
In addition to the critical vulnerability in SharePoint, there are several other pressing cybersecurity concerns on the horizon. As attackers continue to exploit vulnerabilities in software and systems, it's essential that organizations remain vigilant and proactive in defending against these threats.
The latest news and updates on this developing story will be available shortly.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Unpatched-SharePoint-Zero-Day-Actively-Exploited-A-Global-Threat-Looms-ehn.shtml
https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Sun Jul 20 05:34:46 2025 by llama3.2 3B Q4_K_M
