Latest news with #EyeResearch
Forbes
21-07-2025
- Forbes
Microsoft Issues Emergency Update As Global Server Hacks Confirmed
Microsoft SharePoint Server emergency security update now available. Every security team's nightmare came true over the weekend: a global zero-day Microsoft server exploit without a patch. What's more, one that enables the attackers to execute code remotely, bypass identity protections such as multi-factor authentication and access system files before moving across the Windows domain. The servers in question are on-premises Microsoft SharePoint Server installations, and the critical exploit detailed as CVE-2025-53770. Late on Sunday July 20, Microsoft issued an emergency security update, but this alone is not, security researchers have warned, enough to fully stop the threat itself. Here's what you need to know and do, right now. Microsoft Confirms Global SharePoint Server Hack Attack — Issues Emergency Security Update CVE-2025-53770 is a newly discovered, critical, SharePoint Server zero-day exploit that is impacting Microsoft customers on a global scale, according to the Eye Research team behind the disclosure. The immediate impact of the exploit has been felt by those deploying on-premises, rather than SharePoint Online in Microsoft 365, SharePoint Server installations. Reports suggest that government users, hospitals and educational facilities, along with large enterprises, are most at risk. As I reported July 20, the ToolShell critical vulnerability, being exploited on a truly massive and ongoing scale, enables hackers to gain access to, and control of, on-premises SharePoint servers without authentication. As SharePoint is often connected to core services such as Microsoft Outlook, Teams, and OneDrive, the attacks can lead directly to password harvesting and data theft. Microsoft verified the critical exploit and ongoing attacks in a July 20 posting, and has now updated this to confirm that an emergency security patch has been made available. 'Customers should apply these updates immediately to ensure they're protected,' Microsoft said. Unfortunately, just applying the security update is unlikely to 'fully evict' the threat itself, as the Eye Research team warned that the theft of cryptographic keys means that the hackers can continue to impersonate users and services 'even after the server is patched.' Microsoft has now confirmed that following deployment of the emergency security update, 'it is critical that customers rotate SharePoint server machine keys and restart IIS on all SharePoint servers'
Forbes
20-07-2025
- Forbes
Microsoft Confirms Ongoing Mass SharePoint Attack — No Patch Available
Microsoft SharePoint is under attack. Microsoft users are, once again, under attack. This time, the threat is not restricted to Outlook users, or involves a Windows browser-based security bypass, and unlike the recent Windows authentication relay attack vulnerability, there is no patch, no magic update, to remedy this one. Which is bad news for Microsoft SharePoint Server users, as CVE-2025-53770 is currently under confirmed 'mass attack' and on-premises servers across the world are being compromised. Here's what you need to know and do. Microsoft Confirms CVE-2025-53770 SharePoint Server Attacks It's been quite the few weeks for security warnings, what with Amazon informing 220 million customers of Prime account attacks, and claims of a mass hack of Ring doorbells going viral. The first of those can be mitigated by basic security hygiene, and the latter appears to be a false alarm. The same cannot be said for CVE-2025-53770, a newly uncovered and confirmed attack against users of SharePoint Server which is currently undergoing mass exploitation on a global level, according to the Eye Research experts who discovered it. Microsoft, meanwhile, has admitted that not only is it 'aware of active attacks' but, worryingly, 'a patch is currently not available for this vulnerability.' CVE-2025-53770, which is also being called ToolShell, is a critical vulnerability in on-premises SharePoint. The end result of which is the ability for attackers to gain access and control of said servers without authentication. If that sounds bad, it's because it is. Very bad indeed. 'The risk is not theoretical,' the researchers warned, 'attackers can execute code remotely, bypassing identity protections such as MFA or SSO.' Once they have, they can then 'access all SharePoint content, system files, and configurations and move laterally across the Windows Domain.' And then there's the theft of cryptographic keys. That can enable an attacker to 'impersonate users or services,' according to the report, 'even after the server is patched.' So, even when a patch is eventually released, and I would expect an emergency update to arrive fairly quickly for this one, the problem isn't solved. You will, it was explained, 'need to rotate the secrets allowing all future tokens that can be created by the malicious actor to become invalid.' And, of course, as SharePoint will often connect to other core services, including the likes of Outlook and Teams, oh and not forgetting OneDrive, the threat, if exploited, can and will lead to 'data theft, password harvesting, and lateral movement across the network,' the researchers warned. Mitigating The Microsoft SharePoint Server Attacks While the Microsoft Security Response Center has stated that it is 'actively working to release a security update,' and will 'provide additional details as they are available,' there is no patch at the time of writing. In the meantime, it advised that customers should apply the following mitigations:' Configure Antimalware Scan Interface integration in SharePoint and deploy Defender AV on all SharePoint servers. 'If you cannot enable AMSI,' Microsoft said, 'we recommend you consider disconnecting your server from the internet until a security update is available.' I have approached Microsoft for a statement and will update this story with any further developments.
