All Articles

Microsoft SharePoint Zero-Day Exploitation Campaign (CVE-2025-53770, CVE-2025-53771)

Posted by CISO Platform on July 23, 2025 at 9:00am in Blog

 

Microsoft SharePoint Zero-Day Exploitation Campaign (CVE-2025-53770, CVE-2025-53771)

Source: TheHackerNews, Dark Reading, CSO Magazine, Krebs on Security

SharePoint Zero-Day Attack Visualization
 
Timeline:
• July 18, 2025 (6:00 PM CET): Active exploitation begins
• July 20, 2025: CISA adds CVE-2025-53770 to Known Exploited Vulnerabilities catalog
• July 21, 2025: Microsoft releases emergency patches for both vulnerabilities
Attack Vector: Sophisticated vulnerability chaining exploiting deserialization flaws in on-premises SharePoint Server. Attackers abuse CVE-2025-49706 (authentication bypass) combined with CVE-2025-49704 (code injection) to achieve unauthenticated remote code execution. The exploit chain, dubbed "ToolShell," involves sending crafted POST requests to /_layouts/15/ToolPane.aspx with spoofed Referer headers.
Threat Actor: Advanced persistent threat group with sophisticated reconnaissance capabilities targeting critical infrastructure, government entities, universities, and energy companies across multiple sectors.

Indicators of Compromise (IOCs):

  • spinstall0.aspx - Malicious ASPX payload file
  • POST requests to /_layouts/15/ToolPane.aspx
  • Spoofed Referer header: _layouts/SignOut.aspx
  • PowerShell execution for MachineKey extraction
  • Anomalous SharePoint service restarts
CVE References:
CVE-2025-53770 (CVSS 9.8): Remote code execution via deserialization of untrusted data in SharePoint Server
CVE-2025-53771 (CVSS 7.1): Spoofing vulnerability enabling path traversal in SharePoint
CVE-2025-49706 (CVSS 6.3): Authentication bypass vulnerability (chained)
CVE-2025-49704 (CVSS 8.8): Code injection vulnerability (chained)
MITRE ATT&CK Mapping:
T1190 (Initial Access): Exploit Public-Facing Application
T1059.001 (Execution): PowerShell execution for credential harvesting
T1505.003 (Persistence): Web Shell deployment via ToolShell backdoor
T1552.004 (Credential Access): Private Keys extraction (ASP.NET MachineKey)
T1021.001 (Lateral Movement): Remote Services via compromised SharePoint integration

Analysis: This represents a critical supply chain attack targeting enterprise collaboration infrastructure. The sophistication of vulnerability chaining demonstrates advanced threat actor capabilities with deep understanding of SharePoint architecture. The theft of ASP.NET machine keys enables persistent access and lateral movement across integrated Microsoft services (Teams, OneDrive, Outlook). Organizations with internet-facing SharePoint servers should assume compromise and implement immediate containment measures.

 

For more breach intelligence reports and cybersecurity insights, visit CISOPlatform.com and sign up to be a member.

Nominate for Global CISO 100 Awards & Future CISO Awards (1-2 October Atlanta, USA): Nominate Your Peer

Views: 148
Tags: breach intelligence
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by CISO Platform

Priyanka, Co-Founder and Editor, CISO Platform Breach Intelligence, leads our threat intelligence and incident analysis efforts, providing actionable insights to the global cybersecurity community. With extensive experience in cybersecurity leadership and breach analysis, she specializes in translating complex technical threats into strategic intelligence for security executives.

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab