Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day
Thousands of organizations worldwide face active cyberattacks targeting Microsoft SharePoint servers through two critical vulnerabilities, prompting urgent government warnings and emergency patches.
Microsoft confirmed over the weekend that threat actors are actively exploiting two zero-day vulnerabilities in on-premises SharePoint servers, designated CVE-2025-53770 and CVE-2025-53771.
The attacks, dubbed “ToolShell” by security researchers, have compromised dozens of organizations globally since July 18, including U.S. federal agencies, universities, and energy companies.
The primary vulnerability, CVE-2025-53770, carries a critical CVSS score of 9.8 and enables unauthenticated remote code execution through unsafe deserialization of untrusted data.
The companion flaw, CVE-2025-53771 (CVSS 6.3), allows attackers to bypass authentication by manipulating HTTP headers, specifically crafting requests with forged Referer headers pointing to SharePoint’s sign-out page.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, requiring federal agencies to implement mitigations within 24 hours
Acting Executive Assistant Director Chris Butera confirmed CISA was alerted by a trusted partner and immediately coordinated with Microsoft.
“We’re witnessing an urgent and active threat,” warned Lotem Finkelstein, Director of Threat Intelligence at Check Point Research. “Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7.”
Security researchers estimate over 10,000 SharePoint servers worldwide remain vulnerable, with the highest concentrations in the United States, Netherlands, United Kingdom, and Canada.
Eye Security, which first disclosed the active exploitation, reported scanning more than 8,000 SharePoint servers globally and finding evidence of ongoing attacks in multiple waves.
The ToolShell exploit chain demonstrates sophisticated tactics, beginning with specially crafted POST requests to SharePoint’s vulnerable ToolPane.aspx endpoint.
Attackers manipulate the Referer header to bypass authentication, then upload malicious ASPX files typically named “spinstall0.aspx” to extract critical cryptographic keys from the server.
These stolen ValidationKeys and DecryptionKeys enable attackers to forge legitimate authentication tokens, maintaining persistent access even after patching.
The technique allows threat actors to execute PowerShell commands through SharePoint’s IIS worker process (w3wp.exe), often running under NT AUTHORITYIUSR privileges.
“The vulnerability fundamentally breaks SharePoint’s security model,” explained researchers at Strobes Security. “Once exploited, attackers can steal SharePoint’s cryptographic MachineKey configuration, granting persistent access indefinitely.”
Emergency Patches and Mitigation Guidance
Microsoft released emergency security updates on July 21 for SharePoint Server Subscription Edition (KB5002768) and SharePoint Server 2019 (KB5002754), with language pack updates also available. However, SharePoint Server 2016 remains vulnerable, with Microsoft working to develop comprehensive patches.
To mitigate potential attacks, customers should:
- Use supported versions of on-premises SharePoint Server
- Apply the latest security updates linked above.
- Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
- Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
- Rotate SharePoint Server ASP.NET machine keys.
Microsoft Defender Unified Advanced Hunting query
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49706","CVE-2025-53770")
To Check for Successful exploitation via file creation
DeviceFileEvents
| where FolderPath has_any (@'microsoft sharedWeb Server Extensions16TEMPLATELAYOUTS', @'microsoft sharedWeb Server Extensions15TEMPLATELAYOUTS')
| where FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
To check for process creation
DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode has_any ("spinstall0", @'C:PROGRA~1COMMON~1MICROS~1WEBSER~115TEMPLATELAYOUTS', @'C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTS')
The rapid progression from proof-of-concept demonstration to mass exploitation occurring within just 72 hours highlights the evolving threat landscape where zero-day vulnerabilities can be weaponized almost instantly. Organizations are urged to treat this as an emergency-priority incident requiring immediate action to prevent compromise.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
