Written by July 25, 2025 9:33 am Cybersecurity Views: 7

Microsoft SharePoint Zero-Day Exploit Leaves Critical Infrastructure at Risk

Microsoft SharePoint

Microsoft is grappling with a severe cybersecurity crisis as attackers actively exploit a critical zero-day vulnerability in its widely deployed SharePoint Server platform—impacting on-premises environments across corporate and government networks.

The flaw, tracked as CVE-2025-53770, allows unauthenticated remote code execution (RCE), giving attackers full control of targeted systems. Even more troubling: this exploit has already been used to breach U.S. nuclear agencies, highlighting the stakes for critical infrastructure.
The Exploit: What’s Happening?

Dubbed “ToolShell”, this attack chain abuses multiple SharePoint flaws in sequence:

Signed Payload Execution
Using the stolen keys, attackers craft malicious commands that SharePoint accepts as valid, enabling persistent system control—even after a reboot or basic patching.

Authentication Bypass
Malicious requests trick SharePoint into skipping login checks.

Web Shell Drop
Attackers inject a file into the server, stealing internal cryptographic keys.

Who’s Affected?

  • Only on-premises SharePoint 2016, 2019, and Subscription Edition are vulnerable.
  • SharePoint Online (Microsoft 365) is not affected.
  • More than 400 servers have shown signs of compromise, including those belonging to the U.S. Department of Energy’s National Nuclear Security Administration (NNSA).

Microsoft has attributed the attacks to state-aligned threat groups, including Linen Typhoon and Violet Typhoon—believed to be operating from China.

What You Need to Do Now

✅ Patch Immediately

Microsoft released emergency updates on:

  • July 20 for SharePoint 2019 and Subscription Edition
  • July 22 for SharePoint 2016

Links to specific KB articles can be found in Microsoft’s official guidance.

🔒 Isolate Unpatched Servers

  • If a patch is not possible immediately, disconnect the server from external access.
  • Enable Windows Defender Antivirus with AMSI scanning to block known malicious payloads.

🔁 Rotate Cryptographic Keys

  • Organizations are urged to rotate machine keys (ValidationKey and DecryptionKey), as stolen credentials may still allow attackers to return even after patching.

🔍 Hunt for IOCs (Indicators of Compromise)

Check logs and systems for:

  • Suspicious .aspx files (e.g., spinstall0.aspx)
  • Outbound connections to known malicious IPs:
    107.191.58.76, 104.238.159.149, 96.9.125.147
  • Unusual PowerShell activity spawned from IIS processes

Visited 7 times, 1 visit(s) today

Last modified: July 25, 2025

Next Story
OpenAI to Launch GPT‑5 as Early as August 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

Close
Popular Posts

Categories