Risks Associated With Sharepoint Vulnerabilities

⚠️ Google Threat Intelligence Group is tracking active exploitation of a SharePoint Zero-Day vulnerability. Tonight, Microsoft released CVE-2025-53770 to track a critical, unpatched vulnerability in on-premise SharePoint servers that is being actively exploited. GTIG has observed threat actors using this flaw to install webshells and exfiltrate cryptographic MachineKey secrets from victim servers. The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching. Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat. There is no patch available yet. Here are the immediate actions for any organization running on-premise SharePoint: 🛡️ 1. Apply Mitigations: Microsoft's primary mitigation is to configure the AMSI integration with SharePoint and ensure Microsoft Defender AV is active. If you cannot, consider disconnecting SharePoint from the internet until a patch is available. 🔎 2. Hunt for Compromise: Actively search for webshells in SharePoint directories. The presence of a webshell is a definitive sign of compromise. 🔑 3. Rotate Keys if Compromised: If you find evidence of compromise, you must isolate the server and rotate the SharePoint MachineKey. Simply removing the webshell is not enough. The attacker already has the keys, and rotating them is the only way to invalidate their access. #SharePoint #CyberSecurity #ThreatIntel #InfoSec #0day #CVE #GTIG

Last week's announcement by Microsoft of a critical SharePoint zero‑day (CVE‑2025‑53770, CVSS of 9.8) carries several important lessons. 1️⃣ Patched != fixed. In this case, CVE-2025-53770 appears to be a patch bypass of a vulnerability previously announced, CVE-2025-49704 (CVSS of 8.8), as patched in July 2025. 2️⃣ Chaining multiple low, medium, and / or high vulnerabilities can result in a critical exposure. The previous vulnerability, CVE-2025-49704, was part of an exploit chain involving an authentication bypass (CVE-2025-49706, CVSS of 6.5), and a deserialization of untrusted data vulnerability (CVE-2025-49704) to achieve unauthenticated remote code execution (RCE). 3️⃣ Ongoing testing matters—even for decades‑old apps. This latest incident is a powerful reminder that legacy systems aren’t “safe” just because they've been around for years. In cybersecurity, the ground is always shifting. Attackers rapidly weaponized known weaknesses by chaining together bugs even after patches were released. Threat actors are innovating by bypassing existing patches, highlighting deficiencies in initial fixes. And many organizations still run this vulnerable version of on‑prem SharePoint—software that’s over a decade old—because it's deeply embedded in critical workflows. Advice for cyberdefenders: ➡️ Adopt continuous security testing. Don’t rely solely on patch Tuesday—use red‑teaming, fuzzing, and third‑party pentests, especially for legacy systems. ➡️ Prioritize rapid patching and layered defenses. For example, in this case, apply updates immediately, enable AMSI in full mode, use Defender AV/Endpoint, and rotate ASP.NET machine keys. ➡️ Monitor & respond as if breached. Assume compromise on exposed servers, hunt for indicators like unauthorized .aspx files, rotated keys, and odd IIS behavior. ➡️ De‑risk old infrastructure. Where possible, migrate legacy workloads to cloud-native platforms or implement strict isolations and network controls. In today’s threat landscape, age doesn’t grant immunity. Decades-old apps can harbor fresh risks. A strategy of continuous validation, layered controls, and proactive assumption of compromise is essential to stay ahead of agile adversaries. #CyberSecurity #SharePoint #ZeroDay #LegacySystems #InfoSec #DevSecOps

🚨 85 orgs breached. No patch. No warnings. Just silence. Microsoft SharePoint is under active attack—CVE-2025-53770 enables unauthenticated remote code execution using stolen MachineKeys and weaponized __VIEWSTATE payloads. ToolShell chaining makes this the most dangerous SharePoint exploit since CVE-2019-0604. ☠️ Governments and global enterprises already compromised. 👀 Your server could be next—and traditional MFA won’t help. 🔎 Full threat breakdown, mitigation roadmap, IOCs, and threat hunting queries inside. This is the kind of vulnerability that reshapes policy. Read it before the threat actors do. #CyberSecurity #SharePoint #ZeroDay #RCE #ThreatIntelligence #Infosec #Microsoft #vulnerability #BlueTeam #RedTeam 👇Click below to read full article 👇

Here is one to pay attention to. CVE-2023-29357 is a critical vulnerability in Microsoft SharePoint Server that has been assigned a CVSS 3.x base score of 9.8, indicating its severity is critical. This vulnerability allows for elevation of privilege (EoP) and is particularly dangerous because it can be exploited without any user interaction and does not require the attacker to have any privileges on the system[1][3]. ### Exploit Details The vulnerability permits attackers to spoof JWT authentication tokens, which can be used to perform a network attack that bypasses authentication mechanisms, granting unauthorized access to the system. This can lead to an attacker gaining administrator-level privileges on the affected SharePoint Server installations[1][2][3]. ### Real-World Implications CVE-2023-29357 has been exploited in the wild, as evidenced by its inclusion in the CISA's Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply the necessary patches to mitigate the risk posed by this vulnerability[3][4]. ### Patch and Mitigation Microsoft released a patch for this vulnerability in June 2023. It is crucial for organizations using Microsoft SharePoint Server to apply this patch promptly to protect against potential exploitation[2][7]. ### Proof-of-Concept Exploit A Proof-of-Concept (PoC) exploit script for CVE-2023-29357 has been made available, demonstrating the execution of arbitrary code within the SharePoint application pool. While the shared PoC does not directly enable remote code execution (RCE), threat actors could potentially modify it for use in attacks[2]. Sources [1] NVD https://lnkd.in/eWxvNXXj [2] Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploit (CVE-2023-29357) https://lnkd.in/eAeqX2sh [3] Microsoft SharePoint Vulnerability CVE-2023-29357 Exploited in the Wild - Obrela https://lnkd.in/ebi6vFdw [4] CISA Adds One Known Exploited Vulnerability to Catalog | CISA https://lnkd.in/eVEhPF8Q [5] CVE-2023-29357, CVE-2023-24955: Exploit Chain Released for Microsoft SharePoint Server Vulnerabilities https://lnkd.in/e9D3YqEi [6] CVE-2023-29357 Description, Impact and Technical Details https://lnkd.in/eZeYgW8c [7] Fortiguard https://lnkd.in/epyWr8XE [8] Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability https://lnkd.in/eRPr6U4G

The new Microsoft Sharepoint vulnerability has a CVSS of 9.8 out of 10. Sharepoint Online is not affected. Everyone is going to be talking about this, so in order to not rehash what 1M AI chatbots might write about it, here's the TL;DR: -If you have on-prem Sharepoint that had open exposure to the internet, you should consider yourself compromised and start hunting for IOCs immediately, even if you patched it and took it offline quickly (see https://lnkd.in/gi8NsDB9). -Any networks that the external-facing sharepoint server was connected to should be considered compromised as well - re-examine your network segmentation strategy (DMZ ftw). -Rotate secrets and harden this server - consider additional protection including NGFW, WAF, etc. -Ensure you have proper monitoring with IOC alerts before attempting to put this back online. Better yet, put it behind a VPN or authentication portal before allowing access.

🚨 July 21 Update on Microsoft SharePoint 0-day (CVE-2025-53770 and CVE-2025-53771) Threat Campaigns 🚨 Here are some initial observations from the past 48 hours: ☣️ Microsoft just released security updates for all supported versions of Microsoft SharePoint. Patch now. ☣️ The early 0-day exploitation was broad and opportunistic. We're aware of victims in several sectors and global geographies. The activity primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied. ☣️ We assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor.  ☣️ Multiple threat actors are actively exploiting this vulnerability now. New threat actors with diverse motivations will continue to exploit these vulnerabilities over time. ☣️ Several security researchers are actively scanning for vulnerable SharePoint servers and looking for evidence of compromise. Some security vendors are exploiting the vulnerability to determine if the SharePoint server is still vulnerable.  ☣️ There is a lot of noise in logs. Organizations will likely see multiple discrete sets of activity. Some may be associated with threat actors, some may be security researchers/scanners. Every organization with on-premises Microsoft SharePoint should do the following: 1️⃣ Apply the patches right away. 2️⃣ Rotate SharePoint Server ASP.NET machine keys. 3️⃣ Enable additional security controls such as Windows Antimalware Scan Interface (AMSI) and EDR. 4️⃣ Forensically examine your SharePoint system to determine if it was already compromised❗

It's been a long week for defenders dealing with the latest SharePoint RCE vulnerabilities. You patched SharePoint. You ran AV scans. You rotated machine keys. You think you're safe from CVE-2025-53770? Think again. 🚨 Storm-2603 is actively exploiting a blind spot most security teams miss: malicious IIS modules that persist through standard remediation. 📋 What teams typically do: ✅ Apply Microsoft patches ✅ Run malware scans ✅ Rotate ASP.NET machine keys ✅ Restart IIS services ✅ Hunt for webshells ❌ What they DON'T do: Remove suspicious IIS DLLs loaded into w3wp.exe 💡 Why? Because touching IIS modules risks crashing production SharePoint/Exchange servers. Most security tools won't even scan them for the same reason. ⚠️ The result: Threat actors maintain persistence that survives patches, reboots, and traditional incident response. 🔍 Organizations need IIS module auditing NOW. Check your applicationHost.config and web.config files. Monitor Event ID 29 for new module installations. Full technical analysis: https://lnkd.in/gryR-3y7 thanks to Michael H.

Signature-based detection is a relic. The SharePoint "ToolShell" breach is one of the most important case studies this year for why threat detection needs to evolve. Last week, Microsoft issued an emergency fix for CVE-2025-53770, a zero-day vulnerability in on-prem SharePoint servers. Attackers used custom exploit code to gain unauthenticated remote code execution, steal ASP.NET machine keys, and install a modular post-exploitation framework now referred to as ToolShell. The scope is serious-victims include U.S. federal agencies, universities, and major enterprises. Even more concerning: patching may not be enough. If an attacker has already stolen your machine keys, they can maintain access even after updates are applied. This breach highlights a few key realities: 👉 Exploits are increasingly built to evade signature-based detection. 👉 Post-compromise persistence is getting harder to spot, especially in large hybrid environments. 👉 Timely patching is necessary, but no longer sufficient on its own. What's needed is broader visibility and more adaptive detection. The best security teams I know are rethinking their approach to threat hunting. Instead of waiting for alerts, they’re proactively investigating for signs of abuse, especially in gray zones like unusual API behavior, lateral movement, or anomalous key usage. These are hard problems to solve with traditional tools. You need correlation across systems, behavioral context, and the ability to respond faster than human triage alone allows. Whether that’s supported by smarter automation, detection engineering, or emerging AI capabilities, the direction of travel is clear: we’re moving toward more continuous, contextual threat detection. ToolShell won’t be the last reminder. But it’s a timely one.

🔥 China-Based APTs Exploiting SharePoint to Deploy Warlock Ransomware — Microsoft Confirms 🔥 Microsoft is tracking a group known as Storm-2603—along with two other China-affiliated threat actors—actively exploiting critical SharePoint vulnerabilities to drop Warlock ransomware. These are real-world attacks targeting unpatched, on-prem environments. What should SOC pay attention to? • w3wp.exe spawning suspicious processes (PowerShell, cmd.exe, rundll32) • Web shells or unauthorized .aspx/.ashx files in: • \Program Files\Common Files\Microsoft Shared\Web Server Extensions\ • Abnormal file creation in SharePoint content directories • Access from unusual IPs or regions to SharePoint endpoints • Post-exploitation behavior: shadow copy deletion, backup tampering, encryption tools • Use of native tools for lateral movement (e.g., net.exe, tasklist, nltest) This is a stealthy campaign using low-noise, built-in tools. Prevention helps, but visibility and behavioral detection are just as critical. #SOC #ThreatIntel #SharePoint #Storm2603 #Ransomware #Warlock #MicrosoftSecurity #APT #BlueTeam #Cybersecurity

Still have an on-premise SharePoint Server? Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. CISA recommends the following actions to reduce the risks associated with the RCE compromise:  - For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment. - Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit - Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025. - Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation. - Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection. - Audit and minimize layout and admin privileges.