Tuesday, July 29, 2025

Critical SharePoint Zero-Day: Global Attack Campaign Exposes Thousands of Organizations


Critical SharePoint Zero-Day: Global Attack Campaign Exposes Thousands of Organizations

Sophisticated Chinese state actors exploit chain of vulnerabilities to steal cryptographic keys, deploy ransomware across government and corporate infrastructure

A critical zero-day vulnerability in Microsoft SharePoint Server has triggered one of the most significant cybersecurity incidents of 2025, with researchers confirming active exploitation across thousands of organizations worldwide since early July. The vulnerability, designated CVE-2025-53770 with a maximum CVSS score of 9.8, has enabled attackers to achieve unauthenticated remote code execution on on-premises SharePoint deployments, affecting government agencies, universities, energy companies, and telecommunications firms across North America, Europe, and Asia.

Technical Details and Attack Mechanics

The vulnerability represents a sophisticated bypass of Microsoft's July 2025 patches for two previously disclosed SharePoint flaws: CVE-2025-49704 (remote code execution) and CVE-2025-49706 (authentication bypass). Security researchers have dubbed the exploit chain "ToolShell," originally demonstrated at the Pwn2Own Berlin competition in May 2025 by researchers from Viettel Cyber Security.

The attack exploits a weakness in how SharePoint Server handles the deserialization of untrusted data, allowing attackers to send crafted POST requests to the ToolPane.aspx endpoint with a spoofed Referer header claiming legitimacy from SharePoint's SignOut.aspx page. This authentication bypass enables attackers to upload malicious ASPX files, particularly a web shell named "spinstall0.aspx," which extracts critical ASP.NET machine keys (ValidationKey and DecryptionKey).

These stolen cryptographic keys are crucial for generating valid __VIEWSTATE payloads, effectively turning any authenticated SharePoint request into a remote code execution opportunity. The sophistication of this attack lies in its persistence mechanism: even after patching, attackers can maintain access using the stolen keys to forge legitimate authentication tokens.

Timeline and Attribution

Microsoft's analysis indicates that exploitation attempts began as early as July 7, 2025, with activity intensifying dramatically on July 18-19. The company has identified three distinct Chinese threat actors involved in the campaign: state-sponsored groups Linen Typhoon and Violet Typhoon, along with a China-based actor designated Storm-2603.

Storm-2603, which Microsoft tracks with moderate confidence as a China-based threat actor, has been observed deploying Warlock and Lockbit ransomware since July 18. The group has a history of ransomware operations, though Microsoft notes uncertainty about their primary objectives in this campaign.

Check Point Research identified the first exploitation attempts targeting a major Western government on July 7, with attacks originating from IP addresses 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147. Notably, one of these IP addresses was previously associated with exploitation of Ivanti Endpoint Manager Mobile vulnerabilities, suggesting coordinated infrastructure usage across multiple attack campaigns.

Global Impact Assessment

The scale of the compromise is unprecedented for a SharePoint vulnerability. Tens of thousands of SharePoint servers worldwide are at risk, according to security experts, with confirmed breaches affecting U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company.

Shodan scanning reveals over 16,000 publicly exposed SharePoint servers worldwide, with the majority located in the United States (3,960), followed by Iran (2,488), Malaysia (1,445), the Netherlands (759), and Ireland (645). The Shadowserver Foundation identified 424 SharePoint servers still vulnerable to the exploit chain as of July 23, primarily in the United States, Iran, Germany, India, and China.

Eye Security and watchTowr have confirmed compromised servers belonging to 29 organizations, including multinational firms and government entities, with researchers observing "dozens" of actively exploited servers.

Microsoft's Response and Patch Status

Microsoft initially struggled with patch deployment, first suggesting users modify or disconnect SharePoint servers from the internet before releasing a comprehensive patch for SharePoint Server 2016 on Sunday evening. By July 21, the company had released patches for SharePoint Server Subscription Edition and SharePoint Server 2019, with SharePoint Server 2016 patches following on July 22.

The patches address not only CVE-2025-53770 but also CVE-2025-53771, a related spoofing vulnerability that provides "more robust protections" than the original July security updates. However, Microsoft acknowledged that two SharePoint versions initially remained vulnerable even after the first patch release.

Detection and Indicators of Compromise

Security teams should search for the primary indicator: creation of spinstall0.aspx files in SharePoint's layouts directory, along with variants like spinstall.aspx, spinstall1.aspx, and spinstall2.aspx. Additional indicators include the debug_dev.js file used for storing PowerShell command output and specific SHA256 hash 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514.

CISA recommends organizations monitor for suspicious requests to the sign-out page /_layouts/SignOut.aspx, as this is the exact HTTP header used by threat actors to exploit ToolPane.aspx for initial access.

Industry Response and Implications

CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, with CVE-2025-49706 and CVE-2025-49704 added on July 22. The agency has mandated that federal civilian executive branch agencies apply mitigations immediately.

The vulnerability's impact extends beyond immediate compromise, as SharePoint connects with other Microsoft applications like Outlook, Teams, and OneDrive, potentially enabling broader network infiltration and data theft. Security researchers emphasize that affected organizations must both patch the vulnerability and rotate their cryptographic keys to prevent recompromisation using stolen credentials.

SANS Institute researchers have characterized CVE-2025-53770 as "likely one of the most critical SharePoint vulnerabilities to date," recommending that organizations treat any on-premises SharePoint deployment as potentially compromised.

Critical Mitigation Steps

Microsoft recommends immediate deployment of security updates for all supported SharePoint versions, configuration of Antimalware Scan Interface (AMSI) integration, and deployment of Microsoft Defender Antivirus on all SharePoint servers.

Critically, organizations must rotate SharePoint Server ASP.NET machine keys after patching and restart Internet Information Services (IIS) on all SharePoint servers. For organizations unable to enable AMSI, Microsoft advises disconnecting SharePoint servers from the internet until patches can be applied.

Organizations should also disconnect public-facing versions of SharePoint Server that have reached end-of-life, such as SharePoint Server 2013 and earlier versions.

Looking Forward

The SharePoint vulnerability exploitation represents a concerning trend of increasingly sophisticated supply chain and infrastructure attacks. Kaspersky researchers note similarities between CVE-2025-53770 and the older CVE-2020-1147 vulnerability, suggesting this may represent an evolved fix for previous SharePoint deserialization flaws.

The public availability of proof-of-concept exploit code on GitHub has lowered the technical barrier for both state-sponsored and financially motivated threat actors, with experts expecting continued widespread exploitation attempts.

This incident underscores the critical importance of rapid patch deployment and comprehensive security monitoring for internet-facing enterprise applications, particularly those handling sensitive organizational data like SharePoint deployments.

SIDEBAR: Critical Organizations Compromised and Their Response

Federal Agencies and Nuclear Infrastructure

The most concerning breach involves the National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining and developing the U.S. stockpile of nuclear weapons. According to officials, no classified information was compromised, with the Department of Energy confirming it was "minimally impacted" due to its widespread use of Microsoft 365 cloud services and robust cybersecurity systems. Only "a very small number of systems" were affected, with the NNSA taking "appropriate action to mitigate risk and transition to other offerings as appropriate."

The National Institutes of Health (NIH) was also compromised, with at least one Microsoft SharePoint server system affected. An internal NIH IT email indicated the agency's cybersecurity team was working to remediate the SharePoint attack.

Department of Homeland Security (DHS) components were breached, including potentially the Cybersecurity and Infrastructure Security Agency (CISA), Transportation Security Administration, Customs and Border Protection, and Federal Emergency Management Agency. DHS confirmed there was "no evidence of data exfiltration at DHS or any of its components at this time."

State and Local Government Impact

One eastern U.S. state official reported that attackers had "hijacked" a repository of public documents used to help residents understand how their government works, with the agency no longer able to access the material. This rare "wiper" attack alarmed officials in other states as word spread of potential data deletion beyond typical cryptographic key theft.

Arizona cybersecurity officials convened with state, local, and tribal officials to assess potential vulnerabilities and share information. The Multi-State Information Sharing and Analysis Center detected hundreds of vulnerable groups among state, local, territorial, and tribal governments.

Commercial and Critical Infrastructure

Security researchers identified compromises spanning both commercial and government sectors, with Eye Security tracking more than 50 breaches, including at an energy company in a large state and several European government agencies.

By July 24, Eye Security estimated approximately 400 organizations had been breached, including government agencies, corporations, and other groups worldwide. Most victims were in the United States, followed by Mauritius, Jordan, South Africa, and the Netherlands.

Confirmed victims include universities, energy companies, and an Asian telecommunications company. Researchers from multiple sectors have been affected, including government, defense contractors, human-rights groups, non-governmental organizations, higher education, media, and finance companies.

International Government Response

The U.S. government and partners in Canada and Australia are investigating the compromise of SharePoint servers. Qatari government systems are believed to have been targeted, according to sources familiar with the matter.

Government Response and Coordination

CISA launched a "national coordinated response" immediately after identifying the vulnerability on Friday, working "around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures."

The FBI and other agencies are investigating the compromise, with Microsoft issuing the final patches on July 22. Microsoft confirmed coordination "closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response."

The scale and sensitivity of the affected organizations has prompted unprecedented coordination between government agencies, with particular concern for the theft of machine keys that could enable persistent access even after patching.

Sources

  1. Nakashima, Ellen, Yvonne Wingett Sanchez, and Joseph Menn. "Global hack on Microsoft product hits U.S., state agencies, researchers say." The Washington Post, July 20, 2025. https://www.washingtonpost.com/technology/2025/07/20/microsoft-sharepoint-hack/
  2. "Microsoft hit with SharePoint attack affecting global businesses and governments." CNBC, July 21, 2025. https://www.cnbc.com/2025/07/21/microsoft-sharepoint-attack-vulnerability.html
  3. Microsoft Security Blog. "Disrupting active exploitation of on-premises SharePoint vulnerabilities." July 22, 2025. https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
  4. Sudhakar, Ravie. "Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers." The Hacker News, July 20, 2025. https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
  5. Sudhakar, Ravie. "Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access." The Hacker News, July 21, 2025. https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html
  6. Cybersecurity and Infrastructure Security Agency. "UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities." July 22, 2025. https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
  7. Krebs, Brian. "Microsoft Fix Targets Attacks on SharePoint Zero-Day." Krebs on Security, July 20, 2025. https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/
  8. Whittaker, Zack. "New zero-day bug in Microsoft SharePoint under widespread attack." TechCrunch, July 21, 2025. https://techcrunch.com/2025/07/21/new-zero-day-bug-in-microsoft-sharepoint-under-widespread-attack/
  9. "Microsoft says Chinese hacking groups exploited SharePoint vulnerability in attacks." CNBC, July 22, 2025. https://www.cnbc.com/2025/07/22/microsoft-sharepoint-chinese-hackers.html
  10. Gallagher, Ryan. "US Nuclear Body Among Those Impacted By SharePoint Breach." Bloomberg, July 23, 2025. https://www.bloomberg.com/news/articles/2025-07-23/tally-of-microsoft-victims-surges-as-hackers-race-to-capitalize
  11. Cimpanu, Catalin. "Microsoft SharePoint servers under attack via zero-day vulnerability (CVE-2025-53770)." Help Net Security, July 20, 2025. https://www.helpnetsecurity.com/2025/07/20/microsoft-sharepoint-servers-under-attack-via-zero-day-vulnerability-with-no-patch-cve-2025-53770/
  12. SOCRadar Team. "ToolShell Campaign: New SharePoint Zero-Day (CVE-2025-53770) Triggers Widespread Exploitation." SOCRadar Cyber Intelligence, July 25, 2025. https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
  13. Ullrich, Johannes. "Critical SharePoint Zero-Day Exploited: What You Need to Know About CVE-2025-53770." SANS Institute, July 20, 2025. https://www.sans.org/blog/critical-sharepoint-zero-day-exploited-what-you-need-to-know-about-cve-2025-53770
  14. Tenable Research Team. "CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation." Tenable Blog, July 25, 2025. https://www.tenable.com/blog/cve-2025-53770-frequently-asked-questions-about-zero-day-sharepoint-vulnerability-exploitation
  15. Rapid7 Team. "Zero-day exploitation in the wild of Microsoft SharePoint servers via CVE-2025-53770." Rapid7 Blog, July 21, 2025. https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/
  16. Inland Cyber Defense Clinic. "CVE-2025-53770: Critical Zero-Day in Microsoft SharePoint! Guidance for Community Defenders." July 20, 2025. https://research.cgu.edu/icdc/2025/07/20/cve-2025-53770-sharepoint/
  17. Check Point Research Team. "SharePoint Zero-Day CVE-2025-53770 Actively Exploited: What Security Teams Need to Know." Check Point Blog, July 24, 2025. https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/
  18. Kaspersky Global Research and Analysis Team. "Analysis of the ToolShell vulnerabilities and exploit code." Securelist, July 28, 2025. https://securelist.com/toolshell-explained/117045/

Critical SharePoint Zero-Day: Global Attack Campaign Exposes Thousands of Organizations

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

What Does Palantir Actually Do?

Palantir Technologies Surges on Record Revenue as AI Platform Drives Enterprise Growth Data analytics company crosses $1 billion quarterly...