Latest news with #CVE-2025-53770
Scoop
15 hours ago
- Scoop
Critical Microsoft SharePoint Zero-Day Under Active Exploitation: Google Threat Experts Warn Immediate Action Required
A newly discovered Microsoft SharePoint vulnerability - designated CVE-2025-53770 - is being actively exploited in the wild, with Google's Threat Intelligence Group warning that attackers are using the flaw to implant webshells and steal sensitive cryptographic secrets from compromised servers. Unlike typical vulnerabilities addressed via a routine patch, this zero-day poses a more complex challenge. Organisations running on-premises SharePoint instances exposed to the internet are at immediate risk, according to Charles Carmakal, CTO of Mandiant Consulting (Google Cloud). In guidance shared via LinkedIn, Carmakal stressed that applying mitigations immediately is critical, and organizations should assume potential compromise has already occurred. 'This isn't an 'apply the patch and you're done' situation,' Carmakal advised. He emphasised a multi-step response; implement available mitigations now, patch as soon as Microsoft releases an update, investigate for signs of compromise, and remediate accordingly. Microsoft has yet to release an official patch but is expected to issue an emergency out-of-cycle update in response to the active exploitation. Notably, Microsoft 365's SharePoint Online is not impacted. The Google Threat Intelligence team has identified ongoing attacks where cybercriminals gain persistent, unauthenticated access, enabling long-term intrusion capabilities on victim networks. Organizations are urged to move quickly to mitigate potential damage. The situation highlights the increasing importance of real-time intelligence sharing between cloud providers and software vendors, as attackers increasingly target widely deployed enterprise platforms with zero-day exploits.
Yahoo
19 hours ago
- Yahoo
Microsoft, CISA warn of cyberattacks targeting on-premises SharePoint servers
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. Microsoft on Saturday warned that hackers are exploiting a critical vulnerability in SharePoint, dubbed ToolShell, to launch attacks against on-premises customers. The vulnerability, tracked as CVE-2025-53770, involves deserialization of untrusted data and is a variant of CVE-2025-49706. The Cybersecurity and Infrastructure Security Agency (CISA) on Sunday said the vulnerability can allow a malicious adversary to gain full access to SharePoint content, including file systems and internal configurations. 'CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,' Chris Butera, acting executive assistant director for cybersecurity said in a statement. 'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.' The agency urged all organizations with on-premise Microsoft SharePoint servers to rapidly implement mitigations. Microsoft on Sunday released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771, and urged customers to immediately apply the patches. Hackers have already breached dozens of vulnerable systems in at least two attack waves, according to researchers at Eye Security, which first disclosed the flaw on Saturday and said they had scanned more than 8,000 SharePoint servers worldwide. Researchers from watchTowr said exploitation may have begun as early as July 16. The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, The Washington Post reported. The Multi-State Information Sharing and Analysis Center has already notified more than 150 actively targeted state and local government agencies, a spokesperson told Cybersecurity Dive. It said it had detected more than 1,100 vulnerable servers, including some belonging to K-12 school districts and universities. Google's Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers, an executive said on LinkedIn. Shadowserver on Sunday said it was tracking 9,300 exposed IPs and was working with watchTowr and Eye Security to notify affected customers. Earlier this month, researchers at Code White GmbH demonstrated ToolShell using a combination of CVE-2025-49706 and CVE-2025-49704. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Tom's Guide
a day ago
- Tom's Guide
Microsoft releases emergency security updates to fix SharePoint zero-day flaws — everything you need to know
Microsoft has released two emergency patches to address zero-day vulnerabilities that have been found in SharePoint RCE. Actively exploited in attacks, the two flaws (tracked as CVE-2025-53770 and CVE-2025-53771) are both 'ToolShell' attacks that compromise services and that build on flaws that were fixed as part of July's Patch Tuesday updates. As reported by Bleeping Computer, the new flaws were exploited by researchers back in May at a Berlin hacking contest. They did so by using a vulnerability chain that enabled the researchers to achieve remote code execution in Microsoft SharePoint. Threat actors were then able to use zero-day flaws that built on the patches from previous issues and have been conducting toolshell attacks on SharePoint servers that have directly affected over 50 organizations. The emergency patches that Microsoft has pushed out have fixed both flaws in Microsoft SharePoint Subscription Edition and SharePoint 2019 but there is currently no fix available for SharePoint 2016. Administrators should install the available updates immediately, and then rotate the machine keys as well as consider analyzing the logs and file system for the presence of malicious files or any evidence of exploitation. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button. Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Global News
a day ago
- Business
- Global News
Microsoft's SharePoint is being hacked by cyberattackers, FBI and CSE warn
Canada's cybersecurity agency is issuing an alert over attacks it says are impacting Microsoft SharePoint servers, with a warning for organizations to act now to protect their information. Microsoft issued an alert on Saturday that said the server software being targeted is used by government agencies and businesses to share documents within their organizations. The company advised that security updates should be applied immediately. The Cyber Centre is also urging companies to take various actions to reduce risks, including checking for a specific file in their servers. Get breaking National news For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen. Sign up for breaking National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy 'The Cyber Centre is aware of exploitation happening in Canada,' the Canadian Centre for Cyber Security wrote in a vulnerability alert. 'CVE-2025-53770 involves a deserialization of untrusted data in on-premises Microsoft SharePoint Servers allowing an unauthorised attacker to execute code over a network.' Story continues below advertisement Those who use SharePoint Online in Microsoft 365, which is in the cloud, have not been impacted. Global News has reached out to the federal government and Communications Security Establishment Canada to inquire if any departments have been impacted. The FBI said on Sunday that it was aware of the attacks and is working closely with federal and private-sector partners, but offered no other details. The Washington Post, which first reported the hacks, said unidentified actors in the past few days had exploited a flaw to launch an attack that targeted U.S. and international agencies and businesses. In the alert, Microsoft said a vulnerability 'allows an authorized attacker to perform spoofing over a network.' It issued recommendations to stop the attackers from exploiting it. — with files from Reuters
Forbes
a day ago
- Forbes
Microsoft Issues Emergency Update As Global Server Hacks Confirmed
Microsoft SharePoint Server emergency security update now available. Every security team's nightmare came true over the weekend: a global zero-day Microsoft server exploit without a patch. What's more, one that enables the attackers to execute code remotely, bypass identity protections such as multi-factor authentication and access system files before moving across the Windows domain. The servers in question are on-premises Microsoft SharePoint Server installations, and the critical exploit detailed as CVE-2025-53770. Late on Sunday July 20, Microsoft issued an emergency security update, but this alone is not, security researchers have warned, enough to fully stop the threat itself. Here's what you need to know and do, right now. Microsoft Confirms Global SharePoint Server Hack Attack — Issues Emergency Security Update CVE-2025-53770 is a newly discovered, critical, SharePoint Server zero-day exploit that is impacting Microsoft customers on a global scale, according to the Eye Research team behind the disclosure. The immediate impact of the exploit has been felt by those deploying on-premises, rather than SharePoint Online in Microsoft 365, SharePoint Server installations. Reports suggest that government users, hospitals and educational facilities, along with large enterprises, are most at risk. As I reported July 20, the ToolShell critical vulnerability, being exploited on a truly massive and ongoing scale, enables hackers to gain access to, and control of, on-premises SharePoint servers without authentication. As SharePoint is often connected to core services such as Microsoft Outlook, Teams, and OneDrive, the attacks can lead directly to password harvesting and data theft. Microsoft verified the critical exploit and ongoing attacks in a July 20 posting, and has now updated this to confirm that an emergency security patch has been made available. 'Customers should apply these updates immediately to ensure they're protected,' Microsoft said. Unfortunately, just applying the security update is unlikely to 'fully evict' the threat itself, as the Eye Research team warned that the theft of cryptographic keys means that the hackers can continue to impersonate users and services 'even after the server is patched.' Microsoft has now confirmed that following deployment of the emergency security update, 'it is critical that customers rotate SharePoint server machine keys and restart IIS on all SharePoint servers'
