Digital Event Horizon
Microsoft SharePoint Server has been compromised by hackers exploiting a high-severity vulnerability, allowing attackers to steal sensitive company data and grant privileged access to systems within networks. With the help of security researchers, affected organizations can take steps to mitigate this threat and protect their networks from further exploitation.
A high-severity vulnerability (CVE-2025-53770) in Microsoft SharePoint Server has been exploited by hackers, allowing them to steal sensitive data.The vulnerability is rated at 9.8 out of 10 and gives unauthenticated remote access to exposed servers.The exploitation chain is related to vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706, which were partially patched in Microsoft's monthly update release.Dozens of systems across the globe have been compromised using this vulnerability, with some infected with a webshell-based backdoor called ToolShell.The attackers used internal .NET methods to read the SharePoint server's MachineKey configuration and extract its ValidationKey, allowing them to craft valid payloads.Patching alone is not sufficient, as attackers can use the leaked cryptographic material to stage further hacks at a later time.At least two federal agencies have reported breaches, and the US Cybersecurity and Infrastructure Security Agency has provided guidance on mitigating this vulnerability.
Microsoft SharePoint Server, a widely used web-based platform for storing and managing content, has been compromised by hackers exploiting a high-severity vulnerability. The CVE-2025-53770 vulnerability, rated at 9.8 out of 10, gives unauthenticated remote access to exposed servers, allowing attackers to steal sensitive company data, including authentication tokens that grant privileged access to systems within networks.
The exploitation chain observed in this case is closely related to the chains demonstrated in May at the Pwn2Own hacking competition in Berlin for two separate vulnerabilities. The exploited vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, were partially patched two weeks ago in Microsoft's monthly update release. However, the patches for these vulnerabilities included "more robust protections" for the already patched vulnerabilities, leaving the newly discovered vulnerability unchecked.
Researchers from security firm Eye Security reported finding dozens of systems actively compromised during two waves of attacks on July 18th and 19th, respectively. These systems were scattered across the globe and were hacked using the exploited vulnerability before being infected with a webshell-based backdoor called ToolShell. The researchers noted that this was not your typical webshell, as it did not involve interactive commands or reverse shells but instead used internal .NET methods to read the SharePoint server's MachineKey configuration.
The remote code execution made possible by the exploit targets the way SharePoint translates data structures and object states into formats that can be stored or transmitted and then reconstructed later. This process, known as serialization, allows attackers to abuse parsing logic to inject objects into pages. In the past, this vulnerability had been fixed in 2021 but was limited by the requirement to generate a valid signature, which required access to the server's secret ValidationKey.
With the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers can extract the ValidationKey directly from memory or configuration. This leaked cryptographic material allows the attacker to craft fully valid, signed __VIEWSTATE payloads using a tool called ysoserial. These payloads enable the creation of malicious commands and are accepted by the server as trusted input, completing the RCE chain without requiring credentials.
The attackers' use of the capability to steal SharePoint ASP.NET machine keys also allows them to stage hacks of additional infrastructure at a later time. This means that patching alone provides no assurance that attackers have been driven out of a compromised system. Instead, affected organizations must rotate SharePoint ASP.NET machine keys and restart the IIS web server running on top.
According to reports, at least two federal agencies have found that servers inside their networks were breached in the ongoing attacks. The US Cybersecurity and Infrastructure Security Agency has also confirmed the attacks and provided its own list of security measures to mitigate this vulnerability.
In conclusion, the exploited vulnerability in Microsoft SharePoint Server is a critical reminder of the importance of regular software updates and proper network security measures. As attackers continue to exploit this vulnerability, organizations must take immediate action to patch their systems, rotate machine keys, and implement additional security measures to prevent future breaches.
Related Information:
https://www.digitaleventhorizon.com/articles/Unveiling-the-Devastating-Consequences-of-Exploited-Vulnerability-in-Microsoft-SharePoint-Server-deh.shtml
https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/
Published: Mon Jul 21 19:54:48 2025 by llama3.2 3B Q4_K_M
