Latest news with #CVE-2025-53770
Tom's Guide
19 minutes ago
- Tom's Guide
The SharePoint flaw has now hit over 400 companies including a US nuclear administration
The SharePoint vulnerabilities that Microsoft released emergency patches for earlier this week – tracked as CVE-2025-53770 and CVE-2025-53771 – have been exploited much further than previously thought. As reported by Bloomberg, the number of companies and organizations affected by the two exploits has grown to more than 400 in just a few days. Dutch cybersecurity company Eye Security, which noticed some of the early attacks, said the hackers involved have now breached government agencies, corporations and groups from countries around the world including the U.S., Europe, Asia and the Middle East. One of the highest profile agencies involved is the National Nuclear Security Administration, a U.S. agency that maintains the nations stockpile of nuclear weapons. Others include the U.S. Department of Education, Florida's Department of Revue, and the Rhode Island General Assembly. Organizations include government agencies, education departments and technology services. The SharePoint vulnerabilities allow threat actors access to those servers in order to steal keys that would allow them to impersonate users or services in phishing attacks. This means they could potentially gain access to networks where they could steal data, even that of a confidential or sensitive nature. Though Microsoft has issued patches to fix the flaws, researchers have cautioned that hackers may have already gained access to many of the targeted servers. The Eye Security researchers have cautioned that the number of companies hacked may still grow as there are ways to compromise servers that do not leave traces, and that other "opportunistic" hackers may continue to exploit vulnerable servers. Companies who have not yet issued a patch for their SharePoint servers should do so immediately following Microsoft's instructions which include rotating machine keys and analyzing the logs and file system for signs of system exploits. Microsoft has pointed the finger at both the Linen Typhoon and Violet Typhoon groups at being behind these attacks; both groups are said to be Chinese state-sponsored hacking groups. A third Chinese based hacking group, referred to as Storm-2603, is also said to have used the exploit in the wild. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
Techday NZ
18 hours ago
- Techday NZ
SharePoint zero-day flaw exploited as over 9,000 servers at risk
Cybersecurity experts have raised fresh alarms following reports of active exploitation targeting Microsoft SharePoint servers worldwide. The scale and sophistication of the attacks, which began to surface in detailed research at the end of last week, are causing concern among organisations that rely on the popular collaboration platform for critical information infrastructure. The vulnerability at the centre of the incident, now assigned as CVE-2025-53770, affects a wide cross-section of SharePoint Server deployments. Research from Eye Security first brought attention to what it described as "active, large-scale exploitation," driven by a zero-day weakness identified within a pair of vulnerabilities collectively known as ToolShell. Successful exploitation allows attackers to extract the MachineKey configuration details from vulnerable servers - exposing both the validationKey and decryptionKey, which are crucial to securing authentication tokens and encrypted data. This critical information, once in criminal hands, can be weaponised. As Satnam Narang, Senior Staff Research Engineer at Tenable, explained, "Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution." Narang noted that the consequences for affected organisations may be severe, with broad implications for data integrity and security across industry sectors. Indicators of compromise are already being circulated among security teams. Organisations are being urged to check for evidence of unauthorised access, with one telltale sign being the sudden creation of files named " on vulnerable servers, possibly under other extensions. The scope of exposure is significant, with estimates suggesting over 9,000 externally accessible SharePoint servers are potentially at risk. These systems are deployed globally by enterprises, government entities, and a range of other organisations relying on SharePoint for document management and collaboration. Patching efforts have commenced in earnest. Microsoft began distributing fixes late on 20 July, prioritising SharePoint Server 2019 and SharePoint Subscription Edition. A remedy for SharePoint Server 2016 remains pending but is expected imminently. Narang advised, "We strongly advise organisations to begin conducting incident response investigations to identify potential compromise; otherwise, apply the available patches and review the mitigation instructions provided by Microsoft." Andrew Obadiaru, Chief Information Security Officer at offensive security firm Cobalt, warned that the speed and depth of zero-day exploitation leaves little margin for delay or complacency. "Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. "The challenge isn't just patching - it's that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today's threat landscape, reactive security alone is a losing game." Obadiaru's remarks echo growing industry consensus that traditional perimeter defences are proving insufficient in the face of increasingly sophisticated and rapid cyber threats. Security teams are being encouraged to revisit their incident response and detection protocols, embracing a proactive security posture and preparing for the possibility that attackers may already be inside their networks. For now, the advice from the security community is clear: immediate action is essential. Organisations are urged to initiate incident response processes, apply available patches without delay, and review configuration settings for any signs of compromise. Vigilance and proactive testing will be the defining factors in limiting the fallout from yet another high-profile zero-day targeting widely used enterprise software.
Techday NZ
18 hours ago
- Techday NZ
Critical SharePoint zero-day flaw exploited, urgent actions urged
A critical zero-day vulnerability in Microsoft SharePoint Server, identified as CVE-2025-53770, has been actively exploited by threat actors and now poses a significant security risk to organisations operating on-premises SharePoint environments. Security researchers and technology companies have raised urgent concerns about the sophistication and reach of the campaign, which has been dubbed "ToolShell" and enables remote code execution (RCE), system compromise, and persistent backdoor access - even in environments protected by measures such as multi-factor authentication (MFA). According to Adrian Culley, Senior Sales Engineer at SafeBreach, the situation is particularly serious because the attacks exploiting this vulnerability commenced before any security patches were made available, placing it in the most dangerous category of threats to enterprise infrastructure. "This CVE represents a critical security incident: it was exploited as a zero-day vulnerability in active attacks against production systems before any patches were available - the most severe type of threat organisations face," Culley stated. Further complicating the response, there is currently no single remediation patch for the vulnerability. Microsoft has taken the unusual and cautionary step of advising organisations to assume their systems may already be compromised, and to immediately conduct comprehensive investigations to verify the integrity of their environments. This approach is rarely adopted in public advisory language, and reinforces the gravity of the incident. SharePoint Server 2016 installations face unique challenges due to the absence of technical fixes at present. Organisations running these environments are being told to lean on breach and attack simulation, alongside current security controls, to gauge their exposure. Culley recommended, "Proactive defence requires targeted hardening measures and resilience improvements to prevent falling victim to this sophisticated attack vector." Analysis from Mandiant Consulting, part of Google Cloud, indicates that this exploit is being used by multiple threat actors, including groups linked to China. Charles Carmakal, CTO at Mandiant Consulting, stressed the breadth of the threat landscape: "We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability." Carmakal warned that further threat actors are expected to join as awareness and knowledge of the exploit spreads, increasing the urgency for defensive actions. Google's Threat Intelligence Group has observed attackers leveraging CVE-2025-53770 to install webshells and exfiltrate sensitive cryptographic secrets from compromised servers. This enables unauthenticated, long-term access to targeted systems, putting confidential data and business operations at risk. In its emergency guidance, Microsoft clarified that this vulnerability currently affects only on-premises versions of SharePoint Server. Organisations using SharePoint Online as part of Microsoft 365 are not impacted. For those running on-premises servers exposed to the internet, immediate action is advised. Experts recommend implementing Microsoft's mitigation advice, closely monitoring systems for signs of compromise, and preparing to deploy an emergency patch as soon as it becomes available. Carmakal summed up the reality facing organisations: "This isn't an 'apply the patch and you're done' situation. Organisations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions." Given the current lack of a comprehensive patch, vigilance in monitoring, rapid application of mitigations, and thorough investigative processes will be mandatory in defending against the expanding wave of exploitation. Security professionals emphasise that building resilience and continually reviewing security postures are critical as the situation evolves and more actors target the vulnerability.
Scoop
2 days ago
- Scoop
Critical Microsoft SharePoint Zero-Day Under Active Exploitation: Google Threat Experts Warn Immediate Action Required
A newly discovered Microsoft SharePoint vulnerability - designated CVE-2025-53770 - is being actively exploited in the wild, with Google's Threat Intelligence Group warning that attackers are using the flaw to implant webshells and steal sensitive cryptographic secrets from compromised servers. Unlike typical vulnerabilities addressed via a routine patch, this zero-day poses a more complex challenge. Organisations running on-premises SharePoint instances exposed to the internet are at immediate risk, according to Charles Carmakal, CTO of Mandiant Consulting (Google Cloud). In guidance shared via LinkedIn, Carmakal stressed that applying mitigations immediately is critical, and organizations should assume potential compromise has already occurred. 'This isn't an 'apply the patch and you're done' situation,' Carmakal advised. He emphasised a multi-step response; implement available mitigations now, patch as soon as Microsoft releases an update, investigate for signs of compromise, and remediate accordingly. Microsoft has yet to release an official patch but is expected to issue an emergency out-of-cycle update in response to the active exploitation. Notably, Microsoft 365's SharePoint Online is not impacted. The Google Threat Intelligence team has identified ongoing attacks where cybercriminals gain persistent, unauthenticated access, enabling long-term intrusion capabilities on victim networks. Organizations are urged to move quickly to mitigate potential damage. The situation highlights the increasing importance of real-time intelligence sharing between cloud providers and software vendors, as attackers increasingly target widely deployed enterprise platforms with zero-day exploits.
Yahoo
2 days ago
- Yahoo
Microsoft, CISA warn of cyberattacks targeting on-premises SharePoint servers
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. Microsoft on Saturday warned that hackers are exploiting a critical vulnerability in SharePoint, dubbed ToolShell, to launch attacks against on-premises customers. The vulnerability, tracked as CVE-2025-53770, involves deserialization of untrusted data and is a variant of CVE-2025-49706. The Cybersecurity and Infrastructure Security Agency (CISA) on Sunday said the vulnerability can allow a malicious adversary to gain full access to SharePoint content, including file systems and internal configurations. 'CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,' Chris Butera, acting executive assistant director for cybersecurity said in a statement. 'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.' The agency urged all organizations with on-premise Microsoft SharePoint servers to rapidly implement mitigations. Microsoft on Sunday released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771, and urged customers to immediately apply the patches. Hackers have already breached dozens of vulnerable systems in at least two attack waves, according to researchers at Eye Security, which first disclosed the flaw on Saturday and said they had scanned more than 8,000 SharePoint servers worldwide. Researchers from watchTowr said exploitation may have begun as early as July 16. The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, The Washington Post reported. The Multi-State Information Sharing and Analysis Center has already notified more than 150 actively targeted state and local government agencies, a spokesperson told Cybersecurity Dive. It said it had detected more than 1,100 vulnerable servers, including some belonging to K-12 school districts and universities. Google's Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers, an executive said on LinkedIn. Shadowserver on Sunday said it was tracking 9,300 exposed IPs and was working with watchTowr and Eye Security to notify affected customers. Earlier this month, researchers at Code White GmbH demonstrated ToolShell using a combination of CVE-2025-49706 and CVE-2025-49704. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
