Risks of Unpatched Sharepoint Servers

⚠️ Google Threat Intelligence Group is tracking active exploitation of a SharePoint Zero-Day vulnerability. Tonight, Microsoft released CVE-2025-53770 to track a critical, unpatched vulnerability in on-premise SharePoint servers that is being actively exploited. GTIG has observed threat actors using this flaw to install webshells and exfiltrate cryptographic MachineKey secrets from victim servers. The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching. Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat. There is no patch available yet. Here are the immediate actions for any organization running on-premise SharePoint: 🛡️ 1. Apply Mitigations: Microsoft's primary mitigation is to configure the AMSI integration with SharePoint and ensure Microsoft Defender AV is active. If you cannot, consider disconnecting SharePoint from the internet until a patch is available. 🔎 2. Hunt for Compromise: Actively search for webshells in SharePoint directories. The presence of a webshell is a definitive sign of compromise. 🔑 3. Rotate Keys if Compromised: If you find evidence of compromise, you must isolate the server and rotate the SharePoint MachineKey. Simply removing the webshell is not enough. The attacker already has the keys, and rotating them is the only way to invalidate their access. #SharePoint #CyberSecurity #ThreatIntel #InfoSec #0day #CVE #GTIG

Patching won’t save you this time. And Microsoft just said it out loud. In response to the actively exploited SharePoint zero-day, Microsoft and CISA have rushed out emergency patches and technical guidance. But here’s the critical line most executives are missing: “𝐏𝐚𝐭𝐜𝐡𝐢𝐧𝐠 𝐚𝐥𝐨𝐧𝐞 𝐢𝐬 𝐧𝐨𝐭 𝐬𝐮𝐟𝐟𝐢𝐜𝐢𝐞𝐧𝐭. 𝐁𝐚𝐜𝐤𝐝𝐨𝐨𝐫𝐬 𝐦𝐚𝐲 𝐩𝐞𝐫𝐬𝐢𝐬𝐭.” That’s not a casual warning. It’s a red flag to every SOC, IR team, and enterprise CISO that remediation is no longer just about software updates—it’s about 𝐟𝐮𝐥𝐥 𝐟𝐨𝐫𝐞𝐧𝐬𝐢𝐜 𝐭𝐫𝐢𝐚𝐠𝐞. Because this exploit didn’t just allow remote code execution. It enabled 𝐬𝐭𝐞𝐚𝐥𝐭𝐡𝐲, 𝐩𝐞𝐫𝐬𝐢𝐬𝐭𝐞𝐧𝐭 𝐛𝐚𝐜𝐤𝐝𝐨𝐨𝐫 𝐢𝐧𝐬𝐭𝐚𝐥𝐥𝐚𝐭𝐢𝐨𝐧—the kind that survives restarts, evades basic EDR, and blends in with legitimate SharePoint services. Once inside, attackers likely leveraged built-in tools, hijacked tokens, and pivoted laterally—leaving minimal footprints. So if your mitigation plan ends at CVE patching, you’re already behind. What you need now is: — Deep process memory inspection — Audit of service principal tokens and app identities — Rollback analysis of recent config drifts — Anomaly detection in service account behaviors — Hard resets of cryptographic material, if exposed This is a 𝐩𝐨𝐬𝐭-𝐜𝐨𝐦𝐩𝐫𝐨𝐦𝐢𝐬𝐞 𝐬𝐜𝐞𝐧𝐚𝐫𝐢𝐨, not a containment issue. CISOs must shift from “are we patched?” to “have we been lived in?” Because advanced actors don’t breach to vandalize—they breach to linger. This breach has changed the SharePoint threat model permanently. Time to treat collaboration platforms as Tier-0 assets—because that’s exactly how the attackers see them. #CRM #CyberSecurity #SalesforceSecurity #SaaSHardening #HubSpot #AccessControl #ZeroTrust #DataBreach #RevenueOps #SaaSSecurity #InfoSec #CISO

🚨 Assume Breach. Even If You See Nothing. 🚨 A wave of attacks is hitting Microsoft SharePoint, exploiting CVE-2025-53770. This isn’t just another vulnerability, it’s a critical, unauthenticated remote code execution (RCE) flaw under active, surgical exploitation. Patches dropped on July 20 and July 21 for SharePoint Subscription Edition and 2019 and SharePoint 2016. CISA added it to the KEV catalog, and a good amount of servers are already compromised. Your SIEM or XDR might be quiet, but that doesn’t mean you’re safe. The vulnerability ties back to the “ToolShell” exploit chain (CVE-2025-49704 and CVE-2025-49706), showcased at Pwn2Own Berlin in May 2025. Huge props to Viettel Cyber Security for their responsible disclosure through Trend Zero Day Initiative. At Trend Micro, our TippingPoint protections, rolled out in May for related flaws, have been shielding against CVE-2025-53770 attacks using the power of the bug bounty program integrated in Tipping Point threat intelligence. But protection is only step one. Here’s the hard truth: Threat actors are already inside networks, using this as a foothold to steal credentials, plant backdoors, and move laterally. These attacks are stealthy, blending seamlessly into normal SharePoint activity. You usually won’t spot them in standard logs, and ransomware isn’t the immediate goal—persistence is. If you’re not hunting for trouble, you’re already behind. This isn’t a “patch and move on” moment. It’s a “drop everything and investigate” moment. Run memory forensics. Hunt for post-exploitation signs like spinstall0.aspx in your Web Server Extensions folder. Scrutinize SharePoint config files, check for webshells, and dig into proxy logs for suspicious POST requests to /_layouts/15/ToolPane.aspx. Act now, or you’re giving attackers free rein. Trend Micro has detailed technical guidance and IOCs out, and we’re working closely with partners to track these exploitation patterns. If you need help gauging your exposure or want to strengthen detection, prevention, or response, let’s connect.

🚨 85 orgs breached. No patch. No warnings. Just silence. Microsoft SharePoint is under active attack—CVE-2025-53770 enables unauthenticated remote code execution using stolen MachineKeys and weaponized __VIEWSTATE payloads. ToolShell chaining makes this the most dangerous SharePoint exploit since CVE-2019-0604. ☠️ Governments and global enterprises already compromised. 👀 Your server could be next—and traditional MFA won’t help. 🔎 Full threat breakdown, mitigation roadmap, IOCs, and threat hunting queries inside. This is the kind of vulnerability that reshapes policy. Read it before the threat actors do. #CyberSecurity #SharePoint #ZeroDay #RCE #ThreatIntelligence #Infosec #Microsoft #vulnerability #BlueTeam #RedTeam 👇Click below to read full article 👇

The new Microsoft Sharepoint vulnerability has a CVSS of 9.8 out of 10. Sharepoint Online is not affected. Everyone is going to be talking about this, so in order to not rehash what 1M AI chatbots might write about it, here's the TL;DR: -If you have on-prem Sharepoint that had open exposure to the internet, you should consider yourself compromised and start hunting for IOCs immediately, even if you patched it and took it offline quickly (see https://lnkd.in/gi8NsDB9). -Any networks that the external-facing sharepoint server was connected to should be considered compromised as well - re-examine your network segmentation strategy (DMZ ftw). -Rotate secrets and harden this server - consider additional protection including NGFW, WAF, etc. -Ensure you have proper monitoring with IOC alerts before attempting to put this back online. Better yet, put it behind a VPN or authentication portal before allowing access.

🔴 Breaking Cyber Alert: SharePoint Zero-Day Under Active Exploitation! ⚠️ Google’s Threat Intelligence Group is tracking active attacks exploiting a new SharePoint Server vulnerability — CVE-2025-53770. 📢 Microsoft has officially released the advisory tonight. This is not just another CVE — this one scores 9.8 Critical (CVSS) and allows unauthenticated remote code execution via deserialization of untrusted data. 🧨 What’s happening? Attackers are targeting on-prem SharePoint servers using malicious .aspx payloads (e.g., spinstall0.aspx) to execute code without any credentials. Once exploited, they gain full control, upload backdoors, and move laterally across your network. 🛡️ No patch yet — but Microsoft recommends: ✔️ Enabling AMSI protection for SharePoint ✔️ Using Microsoft Defender for Endpoint/AV ✔️ Isolating vulnerable servers from the internet ✔️ Hunting for indicators like rogue .aspx uploads or ToolPane abuse 🕵️♂️ If you see ToolShell patterns, HijackSharePointServer.A, or SuspSignoutReq.A alerts — don’t ignore them. 📌 Too Long, Didn’t Read: • CVE-2025-53770 • Affects: SharePoint Server (on-prem) • CVSS: 9.8 (Critical) • Exploited: In the wild — now • Patch: Not yet released • Action: Apply mitigations immediately 💬 Are your systems at risk? How is your team responding to this threat? Let’s discuss zero-day response strategies. #SharePoint #CyberSecurity #ZeroDay #CVE2025_53770 #threatintel #Microsoft #InfoSec #CyberAttack #PatchNow #BlueTeam #IncidentResponse #VulnerabilityManagement #SOC #BlueTeamOps #Deserialization #RCE #Infosec #Informationsecurity

A significant threat campaign has been unfolding over the past three days, impacting networks and customers globally. A chain of vulnerabilities in SharePoint Server (on-premises), recently addressed in Microsoft’s Patch Tuesday, is now being actively exploited. Attackers are targeting Western governments (notably in the U.S. and Western Europe), high-tech companies, and Telcos. The Check Point Software research teams discovered these attacks date back to July 7th, prior to Microsoft releasing the patches. We've also linked the attackers to exploiting a different vulnerability in Ivanti systems and identified the infrastructure used for these attacks (hacked home routers). Check Point is monitoring the situation closely and has released updated protections across our security platforms. For more details, please refer to our research blog post in the first comment below ⬇️

🏭 Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. ☢️ NNSA is a semi-autonomous U.S. government agency part of the Department of Energy that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad. ⚡️ A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week. ⚙️ Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups. "Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said. 🕷️ "In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing." 🏢 Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies. 🔗 Sources: </> https://lnkd.in/d9HWSrJN </> https://lnkd.in/dMcbgyV3 </> https://lnkd.in/dTZaMhM7 </> https://lnkd.in/d9sekM-w #ICSThreatIntelligence #CyberAttack #Nuclear #OTMalwareReverse #criticalinfrastructure #scadahacker #lateralmovement #APT #Zeroday #ICSexploit