Ethical Hacking News
Microsoft SharePoint servers have been exploited using a zero-day vulnerability, allowing attackers to steal sensitive data and gain Remote Code Execution (RCE) privileges on the server. With no patch available yet, affected organizations must take immediate action to secure their systems.
The latest vulnerability (CVE-2025-53770) has been discovered in Microsoft SharePoint servers, allowing attackers to steal sensitive data and disrupt operations.The attack vector relies on a series of vulnerabilities known as ToolShell, which can be combined with the ysoserial tool to create legitimate-looking SharePoint tokens granting Remote Code Execution (RCE) privileges.Administrators should immediately take the server offline if IOCs are detected, and investigate further to determine if additional attacks have occurred.CISA has added the vulnerability to its Known Exploited Vulnerability catalog, requiring federal agencies to apply patches within one day of release.Microsoft has released an emergency patch for SharePoint RCE flaws exploited in attacks, providing some relief to affected organizations.
Microsoft's most recent vulnerability, discovered by Dutch cybersecurity firm Eye Security, has left many organizations scrambling to secure their Microsoft SharePoint servers. According to recent data from BleepingComputer, the vulnerability, identified as CVE-2025-53770, was first observed on July 18th and has already been exploited in multiple attacks.
The attack vector is quite sophisticated, relying on a series of vulnerabilities known as ToolShell (CVE-2025-49706 + CVE-2025-49704). Attackers have successfully uploaded a file named "spinstall0.aspx" to Microsoft SharePoint servers, which allows them to steal the server's MachineKey configuration. This includes the ValidationKey and DecryptionKey, making it possible for attackers to craft fully valid, signed __VIEWSTATE payloads using ysoserial.
The tool used in this exploit is called ysoserial, a popular tool that generates arbitrary payload formats from any given string. By combining ToolShell with ysoserial, attackers can create legitimate-looking SharePoint tokens that grant them Remote Code Execution (RCE) privileges on the server.
According to Eye Security CTO Piet Kerkhofs, the attacker's goal is not only to breach the server but also to steal sensitive data and disrupt operations. "Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads using ysoserial as shown in the example below," he explained.
The attack vector relies on a POST request to the _layouts/15/ToolPane.aspx page, with an HTTP referer of /_layouts/SignOut.aspx. This information is crucial for identifying potential breaches and can help administrators determine if their server has been compromised.
If IIS logs or file system changes are detected containing specific IOCs (Indicators of Compromise), administrators should immediately take the server offline and conduct further investigations to determine if additional attacks have occurred.
CISA (Cybersecurity and Infrastructure Security Agency) has taken notice of the vulnerability, adding it to its Known Exploited Vulnerability catalog. This means that federal agencies are now given one day to apply patches when they become available.
Microsoft itself has released an emergency patch for SharePoint RCE flaws exploited in attacks, which provides some relief to affected organizations.
This incident highlights the importance of staying informed and up-to-date with security patches, as well as the ever-evolving threat landscape. By being vigilant and proactive, organizations can reduce their vulnerability to such attacks and minimize potential damage.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-SharePoint-Zero-Day-Exploited-A-Desperate-Pursuit-for-Patch-Security-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
Published: Mon Jul 21 16:47:26 2025 by llama3.2 3B Q4_K_M
