SharePoint zero-day flaw exploited as over 9,000 servers at risk
The vulnerability at the centre of the incident, now assigned as CVE-2025-53770, affects a wide cross-section of SharePoint Server deployments. Research from Eye Security first brought attention to what it described as "active, large-scale exploitation," driven by a zero-day weakness identified within a pair of vulnerabilities collectively known as ToolShell. Successful exploitation allows attackers to extract the MachineKey configuration details from vulnerable servers - exposing both the validationKey and decryptionKey, which are crucial to securing authentication tokens and encrypted data.
This critical information, once in criminal hands, can be weaponised. As Satnam Narang, Senior Staff Research Engineer at Tenable, explained, "Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution." Narang noted that the consequences for affected organisations may be severe, with broad implications for data integrity and security across industry sectors.
Indicators of compromise are already being circulated among security teams. Organisations are being urged to check for evidence of unauthorised access, with one telltale sign being the sudden creation of files named "spinstall0.aspx" on vulnerable servers, possibly under other extensions. The scope of exposure is significant, with estimates suggesting over 9,000 externally accessible SharePoint servers are potentially at risk. These systems are deployed globally by enterprises, government entities, and a range of other organisations relying on SharePoint for document management and collaboration.
Patching efforts have commenced in earnest. Microsoft began distributing fixes late on 20 July, prioritising SharePoint Server 2019 and SharePoint Subscription Edition. A remedy for SharePoint Server 2016 remains pending but is expected imminently. Narang advised, "We strongly advise organisations to begin conducting incident response investigations to identify potential compromise; otherwise, apply the available patches and review the mitigation instructions provided by Microsoft."
Andrew Obadiaru, Chief Information Security Officer at offensive security firm Cobalt, warned that the speed and depth of zero-day exploitation leaves little margin for delay or complacency. "Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments.
"The challenge isn't just patching - it's that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today's threat landscape, reactive security alone is a losing game."
Obadiaru's remarks echo growing industry consensus that traditional perimeter defences are proving insufficient in the face of increasingly sophisticated and rapid cyber threats. Security teams are being encouraged to revisit their incident response and detection protocols, embracing a proactive security posture and preparing for the possibility that attackers may already be inside their networks.
For now, the advice from the security community is clear: immediate action is essential. Organisations are urged to initiate incident response processes, apply available patches without delay, and review configuration settings for any signs of compromise. Vigilance and proactive testing will be the defining factors in limiting the fallout from yet another high-profile zero-day targeting widely used enterprise software.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
3 days ago
- Techday NZ
Tenable boosts vulnerability priority rating with advanced AI
Tenable has announced advancements to its Vulnerability Priority Rating (VPR), incorporating AI-powered capabilities for heightened precision in identifying and addressing critical cybersecurity risks. The updated Tenable VPR aims to help organisations clarify which vulnerabilities require urgent attention, leveraging generative AI, advanced threat intelligence, and context-aware scoring. By doing so, the solution seeks to facilitate an understanding of vulnerability impact, exploitation potential, and the steps necessary for remediation. Cutting through the noise A significant challenge for businesses is the high volume of reported vulnerabilities, making it difficult to determine which issues pose a genuine threat. According to the company, while the Common Vulnerability Scoring System (CVSS) previously classified around 60% of vulnerabilities as high or critical, the original VPR introduced in 2019 narrowed this number to 3%. With its latest AI enhancements, Tenable claims the VPR now focuses on just 1.6% of vulnerabilities that represent a material business risk. These improvements are designed to enable quicker remediation times, more efficient use of security resources, and alignment of security operations with key organisational priorities. Customer experience "Our biggest problem was noise. We had thousands of vulnerabilities, and no clear way to know which ones posed a genuine threat," said Jorge Orchilles, Senior Director, Readiness and Proactive Security at Verizon. "Tenable VPR changed that by showing us what attackers are actually exploiting right now. It lets us focus our resources on the handful of issues that truly matter, which has made a real, measurable difference in how quickly we can get critical patches out." Deeper insight and explainability The enhancements to VPR are underpinned by new AI-powered insights and explainability features. The company states that these improvements deliver instant clarity by providing users with detailed reasoning regarding the seriousness of a particular exposure, information on how threat actors have weaponised vulnerabilities, and actionable recommendations for mitigation. AI-generated threat summaries further aid users in understanding real-world risks and identifying appropriate next steps. Eric Doerr, Chief Product Officer at Tenable, commented, "We're taking our game-changing Tenable VPR to the next level with these AI-powered enhancements. Tenable VPR brings an unmatched precision and depth of threat intelligence, context and explainability to cyber operations. With these critical insights at their fingertips, organizations can clearly visualize why an exposure matters, where they are vulnerable and how to close their priority risks." Industry and regional context Tenable VPR now also includes enhanced filtering, querying, and metadata capabilities. These allow organisations to tailor their vulnerability management approach based on the threats most relevant to their specific industry sector and geographic location. The intent is to ensure that the vulnerabilities which present the greatest threat to a particular business are addressed first, improving risk posture in a targeted way. These features aim to assist organisations in tackling cyber threats more effectively by enabling clarity and prioritisation in patching and remediation efforts. The update is designed to give security teams more confidence in their decision-making processes and help them use time and resources more efficiently when addressing potential exposures. With these advancements, Tenable continues its focus on exposure management for organisations seeking to protect their assets from ongoing cyber risks. The company reports serving around 44,000 customers worldwide.
Techday NZ
3 days ago
- Techday NZ
Microsoft SharePoint zero-day flaw prompts urgent global response
Organisations around the world are racing to mitigate the impact of a critical zero-day vulnerability in Microsoft's SharePoint server software, which has already been implicated in a series of significant security breaches and is being actively exploited by threat actors, including alleged Chinese nation-state groups. The flaw, catalogued as CVE-2025-53770, was revealed last week after several cyber security researchers, including Microsoft and Google's Threat Intelligence Group, published emergency advisories. Microsoft has clarified that the vulnerability affects only on-premises versions of SharePoint. SharePoint Online, the cloud-based variant included in Microsoft 365, is not impacted by this zero-day flaw. The urgency of the threat became clear after Eye Security researchers published findings that highlighted "active, large-scale exploitation" of the flaw, which they related to a set of vulnerabilities coined "ToolShell." Attackers who successfully exploit CVE-2025-53770 can access sensitive MachineKey configuration details on vulnerable servers, including the validationKey and decryptionKey. These critical parameters can then be used to craft specially designed requests that enable unauthenticated remote code execution, effectively giving attackers full control over the targeted servers. Late breaking fixes for SharePoint Server 2019 and SharePoint Subscription Edition have been made available, with a patch for SharePoint Server 2016 expected to follow. Organisations are being urged to conduct incident response investigations, apply available patches, and closely review Microsoft's temporary mitigation instructions to limit exposure. In recent reports, the scope and impact of the exploit have become clearer. More than 100 servers across at least 60 global organisations, including critical infrastructure such as the US National Nuclear Security Administration, have reportedly been breached via the vulnerability. Cyber security analysts have attributed the campaign to Chinese state-linked groups, among them Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are said to have used stolen credentials to establish persistent access, potentially enabling ongoing espionage even after patches are applied. According to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, attackers are using the vulnerability to install webshells - malicious scripts that provide ongoing unauthorised access - and to exfiltrate cryptographic secrets from compromised servers. This presents a substantial risk to organisations, as it allows persistent, unauthenticated access by malicious actors. "If your organisation has on-premises Microsoft SharePoint exposed to the internet, you have an immediate action to take," Carmakal said. He stressed that mitigation steps must be implemented without delay, as well as the application of patches as they become available. "This isn't an 'apply the patch and you're done' situation. Organisations need to assume compromise, investigate for any evidence of prior intrusion, and take appropriate remediation actions." Satnam Narang, Senior Staff Research Engineer at Tenable, warned of the widespread consequences, stating: "The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw to steal MachineKey configuration details, which could be used to gain unauthenticated remote code execution." Narang added that early signs of compromise could include the presence of a file named although it might carry a different extension in some cases. Bob Huber, Chief Security Officer and President of Public Sector at Tenable, commented: "The recent breach of multiple governments' systems […] is yet another urgent reminder of the stakes we're facing. This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." Huber noted that because Microsoft's identity stack is so deeply embedded in government and corporate environments, a breach in SharePoint can create "a massive single point of failure." He argued for a more proactive, preventative approach to cyber security, emphasising the need for exposure management platforms that provide unified oversight across complex infrastructures. For now, the coordinated response by vendors, security firms, and government agencies continues, as organisations track for signs of compromise and await further guidance on long-term remediation. The incident serves as a stark reminder of the intricate cyber threats faced by modern institutions, and the pressing need for rigorous, ongoing defence strategies against ever-evolving adversaries.
Techday NZ
5 days ago
- Techday NZ
Microsoft launches Sentinel data lake to cut storage costs
Microsoft has unveiled an expansion of its security information and event management solution, Microsoft Sentinel, introducing a new security data lake designed to address both the cost and capability challenges faced by cybersecurity teams. The newly-launched Sentinel data lake aims to reduce costs associated with security data retention, claiming storage fees at less than 10% of those found with traditional analytics log storage options. According to Microsoft, this move is intended to help security teams retain all relevant data affordably, making incident detection and response faster and more accurate. Data challenges Security operations teams have long contended with the challenge of managing increasing volumes of data while controlling costs. Microsoft stated, "You can't protect what you can't see. Security operations teams have long been faced with the challenge of managing massive, fast-growing datasets, and the cost of scaling traditional data management tools to handle these data volumes has become unsustainable. We're evolving our industry-leading Security Incidents and Event Management solution (SIEM), Microsoft Sentinel, to include a modern, cost-effective data lake. By unifying all your security data, Microsoft Sentinel data lake, now in public preview, accelerates agentic AI adoption and drives unparalleled visibility, empowering teams to detect and respond faster. With Sentinel data lake, you're no longer forced to choose between retaining critical data and staying within budget." The new architecture is said to bring together security data from both Microsoft and third-party sources using over 350 native connectors. It is positioned as a foundation for artificial intelligence-powered detection, allowing security teams to hunt for threats over extended time frames and perform detailed forensic analysis without compromising on data retention due to cost constraints. Microsoft further said, "Breaking down data silos for better security... Siloed data means missed cyberthreats, delayed investigations, and underutilized tools." The aim is to unify data and enable better threat visibility and collaboration within security teams. Threat intelligence integration In addition to the data lake, Microsoft has also announced the integration of Microsoft Defender Threat Intelligence (MDTI) into both Sentinel and Defender XDR at no additional cost. This integration is pitched as an effort to provide security teams with access to a substantial repository of frontline threat intelligence, which processes signals from what Microsoft says are 84 trillion daily data points, and is supported by over 10,000 security specialists. The company stated, "To further help defenders get the most out of their data, we're democratizing threat intelligence by converging Microsoft Defender Threat Intelligence (MDTI) capabilities into Defender XDR and Sentinel at no additional cost; this means that security teams will no longer need to buy a separate SKU to access these powerful features." These changes will be rolled out over time, with all Microsoft first-party threat reports, including intelligence profiles and indicators of compromise (IoCs), expected to become available through Defender XDR. The plan is also to incorporate IoCs into Sentinel's case management, allowing customers to share threat intelligence across teams inside their organisations, with further features scheduled to follow. Industry support "Microsoft's vision for Sentinel data lake reflects what matters most in cybersecurity: clarity, scale, and real-world impact. With more than 1,200 Sentinel deployments worldwide, BlueVoyant has seen the need firsthand. Large scale data challenges are now the norm. Sentinel data lake marks a natural evolution of the SIEM and SOAR model, one that critically supports modern analytics, data science, and flexible ingestion strategy. It is a critical step forward for customers looking to modernize their security operations." - Milan Patel, Chief Revenue Officer at BlueVoyant Industry partners have responded to Microsoft's expanded offering and its intent to simplify data management while providing a robust foundation for AI-driven security operations. "For cyber teams, the massive proliferation of data can misdirect focus or delay responses to genuine [cyber]threats. Microsoft Sentinel data lake can be a valuable tool for data centralization and visibility and for historical analysis across large volumes of datasets. Together with Microsoft, Accenture can help our clients leverage the data lake to extend the power of Microsoft Sentinel to supercharge attack detection and proactive remediation." - Rex Thexton, Chief Technology Officer, Accenture Security Microsoft's approach aims to aid organisations in moving between real-time analytics and historical analysis from a single portal. The solution is designed to support custom machine learning workflows, analytics, and integration with tools familiar to security teams, all based on open data formats. "The [cyber]attack surface is expanding with every application and AI application deployed across hybrid cloud environments, and AI-powered attacks are evolving just as fast. What many organizations still lack isn't just better tools - it's real-time visibility of their IT estate, their configurations and business context. To understand their full exposure, organizations need the right asset intelligence and a shared industry effort. The new Microsoft Sentinel data lake represents a valuable step in that direction; IBM is committed to working across the ecosystem to help solve that challenge." - Srini Tummalapenta, IBM Distinguished Engineer, Chief Technology Officer for IBM Consulting Cybersecurity Services AI readiness measures Microsoft stated that centralising data enriches its AI models, such as Security Copilot, giving them full context to detect sophisticated patterns of cyberattack, correlate signals over extended time spans, and produce high-fidelity alerts. The company explained, "Centralizing your data in a threat intel-enriched data lake eliminates silos and ensures AI models like Security Copilot have the full context they need to detect subtle cyberattack patterns, correlate signals across time and space, and surface high-fidelity alerts. This creates the foundation for the future of agentic defense where AI doesn't just assist, it acts." Microsoft Sentinel data lake is now in public preview and available for customer onboarding as part of the company's continuing development of an integrated security operations platform.
