Critical Unpatched SharePoint ZeroDay Actively Exploited Breaches 75 Company Servers
pA critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an active largescale exploitation campaignppThe zeroday flaw tracked as CVE202553770 CVSS score 98 has been described as a variant of CVE202549704 CVSS score 88 a code injection and remote code execution bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updatesppDeserialization of untrusted data in onpremises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network Microsoft said in an advisory released on July 19 2025ppThe Windows maker further noted that its preparing and fully testing a comprehensive update to resolve the issue It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micros Zero Day Initiative ZDIppIn a separate alert issued Saturday Redmond said its aware of active attacks targeting onpremises SharePoint Server customers but emphasized that SharePoint Online in Microsoft 365 is not impactedppAttackers exploiting this bug arent just injecting arbitrary codetheyre abusing how SharePoint deserializes untrusted objects allowing them to execute commands even before authentication takes place Once inside they can forge trusted payloads using stolen machine keys to persist or move laterally often blending in with legitimate SharePoint activitymaking detection and response especially difficult without deep endpoint visibilityppIn the absence of an official patch Microsoft is urging customers to configure Antimalware Scan Interface AMSI integration in SharePoint and deploy Defender AV on all SharePoint serversppIts worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 20162019 and the Version 23H2 feature update for SharePoint Server Subscription EditionppFor those who cannot enable AMSI its advised that the SharePoint Server is disconnected from the internet until a security update is available For added protection users are recommended to deploy Defender for Endpoint to detect and block postexploit activityppThe disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE202549706 CVSS score 63 a spoofing bug in SharePoint and CVE202549704 to facilitate arbitrary command execution on susceptible instances The exploit chain has been codenamed ToolShellppBut given that CVE202553770 is a variant of CVE202549704 its suspected that these attacks are relatedppEye Security said the widescale attacks it identified leverage CVE202549706 to POST a remote code execution payload exploiting CVE202549704 Threat actors have been found sending crafted POST requests to the layouts15ToolPaneaspx endpoint using a spoofed Referer header set to layoutsSignOutaspx to achieve a similar authentication bypass as CVE202549706
ppIts worth mentioning here that the ZDI has characterized CVE202549706 as an authentication bypass vulnerability that stems from how the application handles HTTP Referer header provided to the ToolPane endpoint layouts15ToolPaneaspxppThe malicious activity essentially involves delivering ASPX payloads via PowerShell which is then used to steal the SharePoint servers MachineKey configuration including the ValidationKey and DecryptionKey to maintain persistent accessppThe Dutch cybersecurity company said these keys are crucial for generating valid VIEWSTATE payloads and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunityppWe are still identifying mass exploit waves Eye Security CTO Piet Kerkhofs told The Hacker News in a statement This will have a huge impact as adversaries are laterally moving using this remote code execution with speedppMore than 85 SharePoint servers globally have been identified as compromised with the malicious web shell as of writing These hacked servers belong to 29 organizations including multinational firms and government entitiesppVIEWSTATE is a core mechanism in ASPNET that stores state information between requests watchTowr CEO Benjamin Harris said It is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKeyppWith these keys in hand attackers can craft forged VIEWSTATE payloads that SharePoint will accept as validenabling seamless remote code execution This approach makes remediation particularly difficultatypical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patchppHarris also pointed out that its not yet clear whether some of the activity associated with CVE202553770 may have been overlapping with or misattributed to CVE202549704 or CVE202549706ppThe US Cybersecurity and Infrastructure Security Agency CISA in an alert said its aware of active exploitation of CVE202553770 which enables unauthenticated access to SharePoint systems and arbitrary code execution over the networkppCISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action said Acting Executive Assistant Director for Cybersecurity Chris Butera Microsoft is responding quickly and we are working with the company to help notify potentially impacted entities about recommended mitigations CISA encourages all organizations with onpremise Microsoft Sharepoint servers to take immediate recommended actionppThis is an important example of operational collaboration in action for homeland and national security This type of rapid identification and response to cyber threats is possible because of the trust and cooperation that has been built between the research community technology providers and CISAppWhen reached for comment Microsoft told the publication that it had nothing to share at this stage beyond the customer guidance The company has since released a patch for CVE202553770 and a newly discovered flaw tracked as CVE202553771 Please check this story for more detailsppMicrosoft has since clarified that CVE202553770 adds more protections for CVE202549704 and not CVE202549706 as previously stated It has also disclosed a new flaw CVE202553771 that it said includes more safeguards than CVE202549706 This indicates there are two new zerodays both which are bypasses for Microsofts original fixes earlier this month The story has been updated to reflect these changesppPip install and pray wont cut it in 2025 Learn fast practical ways to secure Python codeppWell unpack how leading teams are using AI privacyfirst design and seamless logins to earn user trust and stay ahead in 2025ppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep
ppIts worth mentioning here that the ZDI has characterized CVE202549706 as an authentication bypass vulnerability that stems from how the application handles HTTP Referer header provided to the ToolPane endpoint layouts15ToolPaneaspxppThe malicious activity essentially involves delivering ASPX payloads via PowerShell which is then used to steal the SharePoint servers MachineKey configuration including the ValidationKey and DecryptionKey to maintain persistent accessppThe Dutch cybersecurity company said these keys are crucial for generating valid VIEWSTATE payloads and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunityppWe are still identifying mass exploit waves Eye Security CTO Piet Kerkhofs told The Hacker News in a statement This will have a huge impact as adversaries are laterally moving using this remote code execution with speedppMore than 85 SharePoint servers globally have been identified as compromised with the malicious web shell as of writing These hacked servers belong to 29 organizations including multinational firms and government entitiesppVIEWSTATE is a core mechanism in ASPNET that stores state information between requests watchTowr CEO Benjamin Harris said It is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKeyppWith these keys in hand attackers can craft forged VIEWSTATE payloads that SharePoint will accept as validenabling seamless remote code execution This approach makes remediation particularly difficultatypical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patchppHarris also pointed out that its not yet clear whether some of the activity associated with CVE202553770 may have been overlapping with or misattributed to CVE202549704 or CVE202549706ppThe US Cybersecurity and Infrastructure Security Agency CISA in an alert said its aware of active exploitation of CVE202553770 which enables unauthenticated access to SharePoint systems and arbitrary code execution over the networkppCISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action said Acting Executive Assistant Director for Cybersecurity Chris Butera Microsoft is responding quickly and we are working with the company to help notify potentially impacted entities about recommended mitigations CISA encourages all organizations with onpremise Microsoft Sharepoint servers to take immediate recommended actionppThis is an important example of operational collaboration in action for homeland and national security This type of rapid identification and response to cyber threats is possible because of the trust and cooperation that has been built between the research community technology providers and CISAppWhen reached for comment Microsoft told the publication that it had nothing to share at this stage beyond the customer guidance The company has since released a patch for CVE202553770 and a newly discovered flaw tracked as CVE202553771 Please check this story for more detailsppMicrosoft has since clarified that CVE202553770 adds more protections for CVE202549704 and not CVE202549706 as previously stated It has also disclosed a new flaw CVE202553771 that it said includes more safeguards than CVE202549706 This indicates there are two new zerodays both which are bypasses for Microsofts original fixes earlier this month The story has been updated to reflect these changesppPip install and pray wont cut it in 2025 Learn fast practical ways to secure Python codeppWell unpack how leading teams are using AI privacyfirst design and seamless logins to earn user trust and stay ahead in 2025ppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep
