Ethical Hacking News
Microsoft has released emergency patches for a critical zero-day vulnerability in its SharePoint platform after malicious actors exploited two previously unknown flaws to launch "ToolShell" attacks on SharePoint servers worldwide. These patches aim to prevent further exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerabilities and provide guidance on patch installation, key rotation, and threat analysis.
Microsoft has released emergency patches for two zero-day vulnerabilities in its SharePoint platform. The patches aim to prevent further exploitation of the "ToolShell" vulnerability chain, which allows attackers to execute arbitrary code on SharePoint servers. Over 54 organizations have been impacted by "ToolShell" attacks, with many reporting losses due to data breaches or other forms of cyber attacks. Micrsoft is working on patches for the SharePoint 2016 platform, but they are not yet available due to the older architecture. Admins should follow specific instructions when installing security updates and rotating machine keys to prevent further exploitation.
Microsoft has taken swift action to address a critical security vulnerability in its popular SharePoint platform, releasing emergency patches for two zero-day vulnerabilities that have compromised services worldwide. The patches, which are now available as part of the July Patch Tuesday updates, aim to prevent further exploitation of these flaws by malicious actors who have been using them to launch "ToolShell" attacks on SharePoint servers.
The vulnerability chain known as "ToolShell," which was first exploited during the Berlin Pwn2Own hacking contest in May, allows attackers to achieve remote code execution in Microsoft SharePoint. This means that an attacker can remotely execute arbitrary code on a SharePoint server, potentially leading to unauthorized access, data theft, or other forms of cyber attacks.
Researchers discovered the initial zero-day vulnerability chain at the Berlin Pwn2Own hacking contest, where they demonstrated their findings and gained hands-on experience with the exploit. Since then, threat actors have been able to discover two new zero-day vulnerabilities that bypassed Microsoft's patches for the previous flaws. These new vulnerabilities were tracked as CVE-2025-53770 and CVE-2025-53771.
Using these newly discovered vulnerabilities, attackers have been conducting "ToolShell" attacks on SharePoint servers worldwide, impacting over 54 organizations to date. The impact of these attacks is significant, with many organizations reporting losses due to data breaches or other forms of cyber attacks.
In response to this developing situation, Microsoft has released emergency security updates for its SharePoint Subscription Edition and SharePoint 2019 platforms. These patches aim to fix the CVE-2025-53770 and CVE-2025-53771 vulnerabilities and prevent further exploitation by malicious actors.
Microsoft is also working on patches for the SharePoint 2016 platform, but these are not yet available. The company has acknowledged that the SharePoint 2016 platform will require additional time and effort to address due to its older architecture.
When installing the security updates, Microsoft admins should follow specific instructions provided by the company. This includes updating machine keys using either PowerShell or Central Admin, as well as rotating machine keys manually via PowerShell. Failure to rotate these keys could leave SharePoint servers vulnerable to further attacks.
In addition to providing guidance on patch installation and key rotation, Microsoft has also offered tools and resources for security teams to analyze logs and file systems for the presence of malicious files or attempts at exploitation. This includes a Microsoft 365 Defender query that can be used to check if a malicious file named "spinstall0.aspx" was created on a server.
For organizations already affected by these attacks, it is essential to conduct a thorough investigation into the breach and ensure that no other devices within the network have been compromised. Implementing robust security measures, such as two-factor authentication and implementing advanced threat protection tools, can help prevent future cyber attacks.
Furthermore, CISOs are under increasing pressure to demonstrate their organization's commitment to cloud security by showcasing tangible business value. To achieve this, they must leverage cutting-edge security solutions that provide comprehensive visibility into network traffic and application vulnerabilities. A well-organized security dashboard provides critical insights into potential threats before they evolve into full-blown attacks.
In conclusion, Microsoft's release of emergency patches for the SharePoint RCE flaws exploited in attacks underscores the ongoing threat landscape faced by organizations worldwide. As cyber threats continue to escalate, companies must invest heavily in robust cybersecurity measures and stay informed about emerging vulnerabilities to prevent similar incidents from occurring.
Related Information:
https://www.ethicalhackingnews.com/articles/MICROSOFT-RELEASES-EMERGENCY-PATCHES-FOR-SHAREPOINT-RCE-FLAWS-EXPLOITED-IN-ATTACKS-A-LATEST-DEVELOPMENT-IN-THE-ONGOING-BATTLE-AGAINST-CYBER-THREATS-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-patches-for-sharepoint-rce-flaws-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-53771
https://www.cvedetails.com/cve/CVE-2025-53771/
Published: Mon Jul 21 16:27:50 2025 by llama3.2 3B Q4_K_M
