Redazione RHC : 22 July 2025 11:42
We recently discussed a critical zero-day vulnerability, CVE-2025-53770, in Microsoft SharePoint Server, which bypasses the previous security flaw CVE-2025-49706. It was already known at the time that the vulnerability involved the deserialization of untrusted data, thus allowing code execution even before authentication. It was also reported that attackers had already exploited this flaw in a targeted attack on over 85 servers.
Now the situation has escalated significantly: the scope of the malicious campaign has turned out to be much broader than expected. As is known, at least 100 organizations have been compromised, including international companies and government agencies. This was reported by representatives of Eye Security, the company that first discovered traces of the attack on one of its customers, and the nonprofit Shadowserver Foundation, which conducted a large-scale network scan.
Their data indicates broad coverage: victims are primarily located in the United States and Germany, but the geography is much broader. The attack exploits a zero-day vulnerability in on-premises SharePoint Server installations, allowing the attacker to inject a backdoor into the infrastructure and infiltrate the victim’s network. According to Eye Security, after penetration, the attackers steal cryptographic keys, specifically MachineKey, which is responsible for validation and encryption, and use them to spoof legitimate traffic. This way, the malicious requests are perceived by the system as legitimate, and the attack continues even after updates are installed. This renders standard security measures ineffective.
In their report, the experts emphasize that the exploit is introduced before authentication and uses malicious PowerShell scripts and ASPX files within the system, which download the necessary parameters from memory. This approach allows attackers to move quickly within the network and execute arbitrary code without the need for repeated attacks.
Shadowserver estimates that up to 9,000 SharePoint servers exposed to the internet could be at risk. Potential targets include industrial companies, banks, auditors, medical organizations, and government agencies. A representative of the British group PwnDefend said that the situation requires not only the installation of updates, but also a full systems audit, as the vulnerability itself could already indicate a hidden compromise.
Microsoft has confirmed the attacks, announced the release of updates, and requested their urgent installation. However, the company emphasized that using standard solutions alone does not guarantee elimination of the threat if attackers have already gained access to key data. As a temporary measure, it suggests enabling the Antimalware Scan Interface (AMSI), installing Microsoft Defender, and, as a last resort, isolating servers from the Internet.
At the same time, Eye Security and Palo Alto Networks continue to observe a series of attacks in which CVE-2025-49706 is used in conjunction with the CVE-2025-49704 vulnerability. The combination of these exploits allows commands to be executed on the server with minimal modifications to the request. Apparently, simply specifying the path “_layouts/SignOut.aspx” in the Referer header transforms CVE-2025-49706 into a full-blown version of CVE-2025-53770. This is the technique currently being used by attackers in campaigns around the world.
It’s not yet clear who exactly is behind the attacks. However, Google, with access to global traffic, has linked some of the activity to a hacker group operating in China. Representatives from the Chinese Embassy, as before, have not commented on these allegations. At the same time, the FBI and the UK’s National Cyber Security Centre have confirmed they are monitoring the situation and engaging with private and public partners to assess its impact.
The current situation requires organizations using SharePoint Server not only to make urgent updates but also to rethink their security posture. Simply installing patches will no longer be sufficient: if the system is already compromised, a thorough inspection of the infrastructure and, in some cases, complete isolation is required.
Redazione