Latest news with #CVE‑2025‑53770
Time of India
23-07-2025
- Business
- Time of India
Microsoft SharePoint hack may have hit at least 400 organisations globally: Report
A widespread cyber-espionage campaign that exploited Microsoft SharePoint servers has reportedly hit nearly 400 organisations, says a Reuters report. The figure, shared by researchers at Dutch firm Eye Security , is based on digital traces found on exposed servers. This marks a sharp increase from roughly 100 victims identified last week and researchers believe the true damage is likely much greater. Zero-day vulnerability in Microsoft SharePoint servers The campaign takes advantage of a serious, unpatched vulnerability in on-premise SharePoint (CVE‑2025‑53770 and CVE‑2025‑53771). It allows attackers to take full control of servers, steal cryptographic keys, install hidden backdoors, and maintain access even after patching. The campaign has struck various sectors, including government, healthcare, finance, education, and manufacturing. Hundreds of servers globally remain exposed—Eye Security's scan covered over 8,000 internet-connected SharePoint servers. On July 18, researchers at Eye Security first noticed the exploit in action. Within hours, scans of Germany, US, and global servers revealed dozens of compromised systems using the same malicious payload. Their initial findings estimated around 100 victim organizations, but follow-up scans expanded the count to nearly 400. The Reuters report quotes Vaisha Bernard, chief hacker at Eye Security who said 'Not all attack methods leave traces that we can detect.' 'There are many more [victims]… so the actual number is almost certainly higher,' he added. Microsoft issues urgent patch for the vulnerability Microsoft confirmed the flaw and released emergency guidance over the weekend, advising affected users to apply patches immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the vulnerability to its Known Exploited Vulnerabilities list, mandating remediation by federal agencies by July 21. Having said that, not all SharePoint editions are currently patched, heightening the risk for organizations still running legacy versions. Experts recommend isolating or disconnecting vulnerable servers from the internet until full fixes are applied. Big Question Answered: Why Google is Merging Android and ChromeOS AI Masterclass for Students. Upskill Young Ones Today!– Join Now
Arabian Post
21-07-2025
- Arabian Post
SharePoint Zero‑Day Lets Attackers Seize Entire Servers
A critical vulnerability in on‑premise Microsoft SharePoint servers is being actively exploited, enabling unauthenticated remote code execution and full server takeover, cybersecurity agencies and independent researchers have confirmed. The flaw, tracked as CVE‑2025‑53770, allows attackers to bypass authentication entirely by exploiting a deserialization weakness in SharePoint server code. They can upload malicious ASPX web‑shells, extract machine and cryptographic keys and gain persistent access—even after patches are applied. Widely referred to as 'ToolShell,' the exploitation chain leverages two prior Pwn2Own vulnerabilities and has been weaponised in real‑world attacks. Eye Security conducted scans of over 8,000 on‑premise SharePoint servers and detected dozens of compromised instances beginning around 18 July 2025. Palo Alto's Unit 42 also confirmed global exploitation patterns consistent with ToolShell, including theft of internal keys to enable forged requests like VIEWSTATE reuse. ADVERTISEMENT Microsoft confirmed attacks affecting at least SharePoint Subscription Edition and SharePoint 2019. Emergency patches—KB5002768 and KB5002754—are available for these versions, though SharePoint 2016 remains unpatched for the moment. Microsoft is working to finalise updates for the 2016 edition as soon as possible. Cybersecurity agencies worldwide—CISA, FBI and equivalents in Canada and Australia—are coordinating assessments and urging immediate mitigation. Organisations still operating internet‑facing SharePoint servers are being strongly advised to install patches without delay, enable the Antimalware Scan Interface and deploy Defender Antivirus or equivalent protection. If AMSI cannot be enabled, servers should be disconnected from external networks until updates are applied. Victims of the exploitation have spanned U. S. federal and state agencies, universities, energy firms and international governments—including in Spain, Brazil, Germany, France, Australia, UAE and Oman. One U. S. state reported deletion of public documents following the intrusion, and stolen machine‑keys allow adversaries to bypass patches through forged authentication tokens. Researchers emphasise that applying patches alone is insufficient. Affected organisations must rotate ASP. NET machine‑keys, reset cryptographic secrets and undertake full compromise assessments to detect residual backdoors. The compromise of SharePoint servers also elevates risk across integrated services like Outlook, Teams and OneDrive, facilitating password harvesting, lateral movement and broader breaches. The vulnerability's severity is underscored by its CVSS score of 9.8 and its rapid transition from proof‑of‑concept at Pwn2Own Berlin to real‑world exploitation in just weeks. Microsoft's acknowledgment of both CVE‑2025‑53770 and CVE‑2025‑53771 highlights their connection to earlier flaws now weaponised beyond the scope of Patch Tuesday fixes. With tens of thousands of on‑premise SharePoint servers still exposed to external traffic, the threat remains urgent. Industry experts warn that organisations must act now to prevent further data theft, system takeover and persistent intrusion.
