Ethical Hacking News
Microsoft has issued an urgent warning to its customers regarding a new zero-day vulnerability in their on-premises SharePoint servers, which is being exploited by attackers using the "ToolShell" campaign. The vulnerability, tracked as CVE-2025-53770, has been assigned a CVSS score of 9.8 and is related to the deserialization of untrusted data in on-premises Microsoft SharePoint Server. Microsoft urges its customers to patch the vulnerability as soon as possible, as it only affects on-premises servers and not SharePoint Online in Microsoft 365.
Micrsoft has warned of a new zero-day vulnerability in on-premises SharePoint servers, tracked as CVE-2025-53770.The vulnerability allows attackers to execute remote code without authentication.Microsoft has released emergency updates for CVE-2025-53770 and CVE-2025-53771, which are being actively exploited by attackers.The vulnerability only affects on-premises SharePoint servers and not SharePoint Online in Microsoft 365.Micrsoft urges its customers to patch the vulnerability as soon as possible due to its severity and active exploitation.
Microsoft has recently warned its customers of a new zero-day vulnerability in their on-premises SharePoint servers, which is being exploited by attackers using the "ToolShell" campaign. The vulnerability, tracked as CVE-2025-53770, is believed to be a variant of a previously patched flaw, CVE-2025-49706, and has been assigned a CVSS score of 9.8.
The attacks, dubbed "ToolShell," are known for chaining two SharePoint flaws, CVE-2025-49704 and CVE-2025-53770, which allows attackers to execute remote code without authentication. The vulnerability is related to the deserialization of untrusted data in on-premises Microsoft SharePoint Server, allowing an unauthorized attacker to execute code over a network.
Microsoft has released emergency updates for two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which are being actively exploited by attackers. The first vulnerability, CVE-2025-53770, is believed to be a spoofing flaw caused by improper path restrictions, while the second vulnerability, CVE-2025-53771, is thought to be related to the deserialization of untrusted data in on-premises Microsoft SharePoint Server.
Microsoft has emphasized that the vulnerability is only affecting on-premises SharePoint servers and not SharePoint Online in Microsoft 365. However, given the severity of the issue and the active exploitation, Microsoft urges its customers to patch the vulnerability as soon as possible.
The attacks are believed to have started around July 18, 2025, with Eye Security identifying large-scale exploitation of a new remote code execution (RCE) vulnerability chain, dubbed "ToolShell." The analysis published by Eye Security found that attackers were using stolen machine keys to persist and move laterally in the network, making detection difficult without deep endpoint visibility.
Security researchers from Eye Security and Palo Alto Networks have warned of attacks combining two SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a chain called "ToolShell." However, given that CVE-2025-53770 is believed to be a variant of CVE-2025-49706, the attacks are likely related.
Microsoft has released emergency updates for both vulnerabilities, including more robust protections than previously available. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704, while the update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.
Microsoft has also emphasized that a patch is currently not available for CVE-2025-53770. However, mitigations and detections are provided in the advisory published by Microsoft.
To protect against the newly identified vulnerability, Microsoft recommends that customers enable AMSI integration and deploy Microsoft Defender across all SharePoint Server farms. This configuration helps protect against the newly identified vulnerability.
In conclusion, the recent "ToolShell" attacks have highlighted the importance of keeping on-premises SharePoint servers patched and up-to-date. Microsoft's emergency updates for CVE-2025-53770 and CVE-2025-53771 are essential to prevent exploitation by attackers. It is crucial that organizations take immediate action to patch these vulnerabilities and implement additional security measures to protect against future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Urges-SharePoint-Users-to-Patch-New-Zero-Day-Vulnerabilities-as-ToolShell-Attacks-Continue-ehn.shtml
https://securityaffairs.com/180197/hacking/microsoft-issues-emergency-patches-for-sharepoint-zero-days-exploited-in-toolshell-attacks.html
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-53771
https://www.cvedetails.com/cve/CVE-2025-53771/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Tue Jul 22 12:46:57 2025 by llama3.2 3B Q4_K_M
