SharePoint Zero‑Day Vulnerabilities
-
Microsoft confirmed active exploitation of on‑premises SharePoint Server vulnerabilities (ToolShell), specifically CVE‑2025‑49704 (RCE) and CVE‑2025‑49706 (spoofing), later extended into CVE‑2025‑53770 and CVE‑2025‑53771. SharePoint Online is not affected.
-
Exploitation began around mid-July 2025, with widespread attacks observed since July 17–18. Over 400 organizations worldwide—including government agencies, universities, and private firms—have been compromised, and ransomware (e.g., Warlock) has been deployed in some cases.
-
Multiple Chinese-linked threat groups—Linen Typhoon, Violet Typhoon, and Storm‑2603—have carried out the attacks, stealing ASP.NET MachineKey material and using web shells as footholds
Immediate Recommendations
-
Apply security updates at once for SharePoint Server Subscription Edition, 2019, and 2016.
-
Configure Antimalware Scan Interface (AMSI) in Full Mode and deploy Defender Antivirus (or equivalent).
-
Rotate ASP.NET machine keys and restart IIS after patching.
-
Deploy endpoint detection solutions to detect post-compromise activity.
-
Conduct threat hunting using Indicators of Compromise (IOCs), including POST requests to the ToolPane endpoint and known malicious IPs, and remove any discovered web shells.
Leave a Reply