Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎07-21-2025 08:50 PM
‎07-21-2025 08:50 PM

SharePoint under attack - Microsoft Zero Day exploited in the wild, no patch available

Hi All

 

Enterprises running SharePoint servers should not wait for a fix for CVE-2025-53770 and should commence threat hunting to search for compromise immediately.

 

Microsoft issued an urgent warning on Saturday to SharePoint Server customers, saying active attacks are targeting a zero-day vulnerability in the software product, which has been assigned CVE-2025-53770 with a CVSS score of 9.8.

 

A patch is currently not available for the flaw, dubbed “ToolShell“, which Microsoft says is a variant of CVE-2025-49706.

The Redmond, Washington-based tech giant said a security update is currently in the works and provided mitigation instructions and detection guidance. Security teams should take immediate action to implement mitigations in the meantime.

 

“Google Threat Intelligence Group has observed threat actors exploiting this vulnerability to install webshells and exfiltrate cryptographic secrets from victim servers,” a Google Spokesperson told SecurityWeek. “This allows for persistent, unauthenticated access and presents a significant risk to affected organizations.”

Researchers at Eye Security say they discovered “dozens of systems actively compromised,” which they say likely occurred in attacks around of July 18th around 18:00 CET and July 19th around 07:30 CET.

 

The Palo Alto Networks Unit42 team said on Saturday that it also has seen active exploitation of vulnerabilities for CVE-2025-49704 and CVE-2025-49706 that affect Microsoft SharePoint.

 

https://www.securityweek.com/sharepoint-under-attack-microsoft-warns-of-zero-day-exploited-in-the-wi...

 

Put countermeasures in place now!

 

Regards

 

Caute_Cautim

Reply
0 Kudos
1 Reply
Caute_cautim
Community Champion
‎07-22-2025 04:30 PM
‎07-22-2025 04:30 PM

Hi All

 

Additional information from Microsoft:  

 

https://www.securityweek.com/microsoft-says-chinese-apts-exploited-toolshell-zero-days-weeks-before-...

 

Stating :

 

Microsoft says Chinese threat actors started exploiting SharePoint zero-day vulnerabilities weeks before they were patched. However, details shared by the tech giant bring further confusion as to exactly which CVEs have been exploited. 

 

An analysis conducted by the tech giant found that exploitation of the SharePoint zero-days named ToolShell started as early as July 7. The first public reports of attacks were triggered by exploitation attempts seen on July 18. 

Some members of the cybersecurity industry have already attributed the first wave of ToolShell attacks to China, saying that high-value targets in various sectors had been hit.

 

However, Microsoft’s timeline suggests that Chinese hackers had known about the potential impact and value of the vulnerabilities much earlier than previously believed.

 

According to Microsoft, two Chinese state-sponsored threat actors tracked as Linen Typhoon and Violet Typhoon have attempted to use the ToolShell vulnerabilities for initial access. In addition, the company has seen a third threat group — named Storm-2603 and linked to China with medium confidence — conducting zero-day attacks.

 

Regards

 

Caute_Cautim

Reply
0 Kudos