Source URL: https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/
Source: Krebs on Security
Title: Microsoft Fix Targets Attacks on SharePoint Zero-Day
Feedly Summary: On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the Sharepoint flaw to breach U.S. federal and state agencies, universities, and energy companies.
AI Summary and Description: Yes
**Summary:** Microsoft issued an emergency security update for a vulnerability in SharePoint Server (CVE-2025-53770) that has been exploited by hackers to breach organizations, including U.S. federal agencies and energy companies. The advisory details active attacks and the need for immediate action to mitigate risks associated with this vulnerability, emphasizing that simple patching may not suffice.
**Detailed Description:**
The text discusses a critical security situation involving vulnerabilities in Microsoft SharePoint Server, underscoring the urgency for organizations to address these risks effectively. Here are the major points:
– **Emergency Security Update:**
– Date of announcement: July 20, 2025.
– Microsoft disclosed a vulnerability (CVE-2025-53770) that is presently being exploited by malicious hackers.
– **Affected Entities:**
– The vulnerability has led to breaches in U.S. federal and state agencies, universities, and energy companies.
– Active investigations are underway involving the U.S. government, Canada, and Australia.
– **Nature of Vulnerability:**
– CVE-2025-53770 is a variant of a previously reported vulnerability (CVE-2025-49706), with the SharePoint servers being targeted solely within organizations and not affecting SharePoint Online or Microsoft 365.
– **Attack Mechanism:**
– Attackers are using a backdoor named “ToolShell” to gain unauthorized, remote access, allowing them to manage internal systems and file configurations.
– **Recommendations for Mitigation:**
– Organizations are advised to rotate their ASP.NET machine keys and restart IIS services on affected SharePoint servers.
– Microsoft suggests deploying Microsoft Defender AV and enabling Anti-Malware Scan Interface (AMSI) as preventative measures.
– CISA warns that merely patching may not be sufficient, recommending organizations disconnect affected products from public networks until a fully effective patch is available.
– **Previous Exploit Chain:**
– The text notes that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition, which ties this current vulnerability to ongoing security concerns and highlights a pattern of exploitation.
– **Further Updates:**
– Microsoft is continuing to develop patches for older versions of SharePoint not yet addressed and has issued detailed advisories for organizations affected by the vulnerabilities.
This situation exemplifies the critical need for timely patching and the implementation of additional security measures within organizations, especially those operating on-premises SharePoint Server systems. It also serves to remind security professionals of the evolving threat landscape and the importance of proactive defense strategies.