Ethical Hacking News
SharePoint Server users are facing a global crisis as attackers exploit a high-severity vulnerability (CVE-2025-53770) that allows hackers to gain unauthorized access to company networks and steal authentication tokens. Microsoft has confirmed the attacks and released emergency updates to patch the vulnerability, but organizations must take further steps to secure their systems against the ongoing threat.
Microsoft has confirmed that attackers are exploiting a high-severity vulnerability (CVE-2025-53770) in SharePoint Server.The vulnerability allows hackers to gain unauthorized access to company networks and steal authentication tokens.The vulnerability provides unauthenticated remote access to SharePoint Servers exposed to the Internet.Microsoft's cloud-hosted SharePoint Online and Microsoft 365 are not affected by this vulnerability.Researchers have warned of active exploitation of the vulnerability since Friday, with attackers using a webshell-based backdoor called ToolShell.Patching is only the start, as attackers can steal SharePoint ASP.NET machine keys to stage further hacks at a later time.
SharePoint Server users are facing a grave threat to their sensitive data, as Microsoft has confirmed that attackers are exploiting a high-severity vulnerability (CVE-2025-53770) in the software. The exploit allows hackers to gain unauthorized access to company networks and steal authentication tokens used to access systems inside networks.
The vulnerability, rated 9.8 out of 10, provides unauthenticated remote access to SharePoint Servers exposed to the Internet. This means that anyone running an on-premises instance of SharePoint should assume their networks are breached. Microsoft's cloud-hosted SharePoint Online and Microsoft 365 are not affected by this vulnerability.
Researchers have been warning of active exploitation of the vulnerability since Friday, when they first identified it. The attackers are using a webshell-based backdoor called ToolShell to gain access to sensitive resources inside compromised networks. This backdoor allows the hackers to extract authentication tokens and execute code that grants them wide access to the network.
The exploitation chain observed by researchers is closely related to chains demonstrated in May at the Pwn2Own hacking competition in Berlin for two separate vulnerabilities. The exploited vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, were partially patched two weeks ago in Microsoft's monthly update release. However, the patches did not provide sufficient protections against the new exploit.
Microsoft has confirmed that organizations using SharePoint 2016 should install an Antimalware Scan Interface to mitigate the threat. The company has also released emergency updates to patch the vulnerability (CVE-2025-53770) and CVE-2025-53771 in SharePoint Subscription Edition and SharePoint 2019.
However, the update alone is only the beginning of the recovery process. The infections allow attackers to make off with authentication credentials that give wide access to a variety of sensitive resources inside a compromised network. To recover from this breach, organizations must rotate SharePoint ASP.NET machine keys and restart the IIS web server running on top.
At least two federal agencies have found that servers inside their networks were breached in the ongoing attacks. The US Cybersecurity and Infrastructure Security Agency has confirmed the attacks and provided its own list of security measures to harden systems against the activity.
Researchers from security firm Eye Security reported finding "dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC." The systems, scattered across the globe, had been hacked using the exploited vulnerability and then infected with the ToolShell backdoor.
The researchers warned that patching is only the start, as the attackers are using the capability to steal SharePoint ASP.NET machine keys, which allow them to stage hacks of additional infrastructure at a later time. This means that affected organizations must take further steps to secure their systems against the ongoing threat.
In conclusion, the SharePoint vulnerability crisis highlights the importance of regular updates and patches for software vulnerabilities. It also emphasizes the need for organizations to take proactive measures to protect themselves against cyber threats. By taking these steps, companies can minimize the risk of data breaches and ensure the security of their sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/SharePoint-Vulnerability-Crisis-A-Global-Exploitation-Nightmare-ehn.shtml
https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-53771
https://www.cvedetails.com/cve/CVE-2025-53771/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Mon Jul 21 21:06:09 2025 by llama3.2 3B Q4_K_M
