Ethical Hacking News
A critical vulnerability in Microsoft's SharePoint Server has been exploited by malicious hackers, compromising U.S. federal and state agencies, universities, and energy companies. The vulnerability, known as CVE-2025-53770, allows attackers to gain unauthenticated remote access to systems, enabling them to steal sensitive information or use the server for further attacks. Organizations with SharePoint Server should take immediate action to patch their systems and implement robust security measures to protect against future attacks.
Microsoft has issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited by malicious hackers. The vulnerability, CVE-2025-53770, was identified by researchers at Eye Security and allows attackers to gain unauthenticated remote access to systems. CISA advises vulnerable organizations to enable anti-malware scan interface (AMSI), deploy Microsoft Defender AV, and disconnect servers from the public-facing Internet until a patch is available. Microsoft has not yet released patches for all affected versions of SharePoint, including SharePoint 2016. The US government and partners are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. Organizations with SharePoint Server should take immediate action to patch their systems and implement robust security measures to mitigate this risk.
Microsoft has issued an emergency security update for a vulnerability in its SharePoint Server that is actively being exploited by malicious hackers. The patch comes amid reports that the attackers have used the SharePoint flaw to breach U.S. federal and state agencies, universities, and energy companies.
The vulnerability, known as CVE-2025-53770, was identified by researchers at Eye Security who first spotted large-scale exploitation of the SharePoint flaw on July 18, 2025. According to their findings, dozens of separate servers compromised by the bug were infected with a backdoor dubbed "ToolShell" that provides unauthenticated, remote access to systems.
Attackers exploiting this newly-discovered flaw are retrofitting compromised servers with ToolShell, which enables them to fully access SharePoint content — including file systems and internal configurations — and execute code over the network. This means that attackers can steal sensitive information, manipulate data, or use the server as a launching point for further attacks.
CISA has advised vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, deploy Microsoft Defender AV on all SharePoint servers, and disconnect affected products from the public-facing Internet until an official patch is available. They also recommend that organizations rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.
Microsoft's advisory states that the company has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016.
In a blog post, researchers at Eye Security warned that patching alone is not enough to protect vulnerable servers. They emphasized that affected organizations should take action immediately to secure their systems, as the threat is already operational and spreading rapidly.
Microsoft has described CVE-2025-53770 as related to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May 2025. This exploit chain invoked a second SharePoint weakness — CVE-2025-49706 — which Microsoft unsuccessfully tried to fix in this month’s Patch Tuesday.
Microsoft has also issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706.
The U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. The Washington Post reported that at least two U.S. federal agencies have seen their servers breached via the SharePoint vulnerability.
In light of this new security threat, organizations with SharePoint Server should take immediate action to patch their systems and implement robust security measures. Failure to do so can result in serious consequences, including data breaches and potential financial losses.
In conclusion, the newly-discovered SharePoint vulnerability poses a significant threat to vulnerable organizations worldwide. Microsoft's emergency security update and recommendations from CISA are crucial steps towards mitigating this risk. Organizations must prioritize their security posture by patching their systems and implementing robust security measures to protect against future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/M-microsoft-Fix-Targets-Attacks-on-SharePoint-Zero-Day-Vulnerability-A-Threat-to-Vulnerable-Organizations-Worldwide-ehn.shtml
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
https://nvd.nist.gov/vuln/detail/CVE-2025-53771
https://www.cvedetails.com/cve/CVE-2025-53771/
Published: Mon Jul 21 16:57:09 2025 by llama3.2 3B Q4_K_M
