Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Patch ToolShell SharePoint zero-day immediately, says Microsoft | Computer Weekly

By Computer Weekly by By Computer Weekly
July 21, 2025
Home Uncategorized
Share on FacebookShare on Twitter


Organisations running on-premise instances of Microsoft’s SharePoint collaboration and document management platform should update without delay after multiple reports of an as-yet unidentified party exploiting two newly-uncovered vulnerabilities emerged.

Dubbed ToolShell, the related vulnerabilities, CVE-2025-53770 and CVE-2025-53771 allow for remote code execution (RCE) and server spoofing in SharePoint. They appear to have arisen as variants of an unauthenticated RCE exploit chain in SharePoint that was first demonstrated in May at a Pwn2Own event in Berlin.

The core RCE vuln, CVE-2025-53370, works by enabling the attacker to steal cryptographic keys from vulnerable SharePoint servers, which can then be used to create specially-crafted requests in order to achieve RCE.

“All signs point to widespread, mass exploitation – with compromised government, technology, and enterprise systems observed globally,” watchTowr CEO Benjamin Harris told Computer Weekly via email.

“Attackers are deploying persistent backdoors, and notably, are taking a more sophisticated route than usual: the backdoor retrieves SharePoint’s internal cryptographic keys – specifically the MachineKey used to secure the __VIEWSTATE parameter.

Harris explained: “__VIEWSTATE is a core mechanism in ASP.NET that stores state information between requests. It is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKey. With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid – enabling seamless remote code execution.”

Over the weekend, Microsoft has been working alongside the US authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), and other partners across the globe, and has urged customers to update SharePoint.

CVE-2025-53770 has also now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue obliging US government bodies to fix it.

Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks, said he was tracking a “high-impact, ongoing threat campaign” against SharePoint servers.

“While cloud environments remain unaffected, on-prem SharePoint deployments – particularly within government, schools, healthcare including hospitals, and large enterprise companies – are at immediate risk,” he said.

“We are currently working closely with [the] Microsoft Security Response Center [MSRC] to ensure that our customers have the latest information and we are actively notifying affected customers and other organisations.”

How the investigation unfolded

ToolShell was first discovered in the wild by the research team at Eye Security, after receiving a CrowdStrike Falcon Endpoint Detection and Response (EDR) alert from an under-attack customer on Friday 18 July.

This alert appeared to flag a brute-force or credential stuffing attack through which the threat actor involved was authenticating to the target system in order to conduct a deeper cyber attack.

However, this proved to be a red herring for, on digging deeper, the Eye team then found that the attacker was conducting their attacks without authenticating at all.

“That’s when we realised we were no longer dealing with a simple credential-based intrusion,” the Eye team wrote. “This wasn’t a brute force or phishing scenario. This was zero-day territory.”

Prior to disclosure, Eye said it scanned over 8,000 SharePoint servers around the world and found dozens of systems had been compromised already in two waves of attacks, the first on 18 July, and the second on 19 July.

Not a theoretical risk

The Eye team said the risk from ToolShell was not a theoretical one, giving attackers the ability to conduct RCE having bypassed identity protections, and enabling them to access SharePoint content, system files and configurations, and conduct lateral movement.

Far more concerning is the fact that patching alone will not mitigate the risk because since the attack chain begins with the theft of cryptographic SharePoint keys, if users do not rotate these secrets right away, they can still be used by the threat actor even if the patch has been properly applied.

“A typical patch will not automatically rotate these stolen cryptographic secrets leaving organisations vulnerable even after they patch. In this case, Microsoft will likely need to recommend additional steps to remediate the vulnerability and any compromise post-response,” said watchTowr’s Harris.

“If an affected SharePoint instance is exposed to the internet, it should be treated as compromised until proven otherwise.”

Legacy trust models

Rik Ferguson, vice president of security intelligence at Forescout, said that ToolShell was a perfect case study in what happens when legacy trust models bump up against a modern-day threat actor.

“An authenticated user should never be treated as a guaranteed safe entity, but this vulnerability effectively grants code execution without requiring elevated privileges. For CISOs, this highlights a critical point. If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess,” he said.

“Zero-tust is not a buzzword. It is a necessity. Security must begin from the premise that every user and every device is untrusted until verified continuously. You need segmentation that limits lateral movement and monitoring that can flag even subtle deviations from expected behaviour.

“Attackers are not just getting in. They are already inside. The question is how far they can go once they are there,” said Ferguson.



Source link

By Computer Weekly

By Computer Weekly

Next Post
Microsoft Confirms ‘Active Attacks’ Against SharePoint Servers, Rolls Out Emergency Patches

Microsoft Confirms ‘Active Attacks’ Against SharePoint Servers, Rolls Out Emergency Patches

Recommended.

Trip.com Group to Hold Annual General Meeting on June 30, 2025

Trip.com Group to Hold Annual General Meeting on June 30, 2025

May 20, 2025
Hotels Are Draining Up to 75% of their IT Budget on Legacy Tech. New Report Reveals What Operators Can Do

Hotels Are Draining Up to 75% of their IT Budget on Legacy Tech. New Report Reveals What Operators Can Do

June 11, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio