Search here...
Subscribe
Cybersecurity

Critical Sharepoint 0-Day Vulnerablity Exploited CVE-2025-53770 (ToolShell)

By: jfsjg

Date:

Share post:

Microsoft announced yesterday that a newly discovered critical remote code execution vulnerability in SharePoint is being exploited. There is no patch available. As a workaround, Microsoft suggests using Microsoft Defender to detect any attacks. To use Defender, you must first configure the AMSI integration to give Defender visibility into SharePoint. Recent versions of SharePoint have the AMSI integration enabled by default.

Microsoft also states: “If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available.”

Defender will just detect the post-exploit activity. Currently, webshells are observed as a payload being deployed, taking advantage of the vulnerability.

The best write-up and details I found so far come from the Eye Security research team. They initially used CVE-2025-49704 and CVE-2025-49706 to identify the vulnerability. Later, Microsoft confirmed that this is a new issue and started using CVE-2025-53700. This latest issue appears to be a variation of the older vulnerabilities patched in this month’s Patch Tuesday.

The vulnerability exploits an authentication bypass issue triggered by setting the “Referer” header to “/_layouts/SignOut.aspx”. This vulnerability is then exploited to trigger remote code execution via “/_layouts/15/ToolPane.aspx”. 

In our honeypot data, we observed two instances of the “ToolPane.aspx” URL, first on July 16th (on individual hit, I am waiting to hear from the submitter to see if there are details available). Today, we received additional reports, but they originated from p55001.probes.atlas.ripe.net:9000 and are likely related to scanning for research purposes. These hits did not include the Referer header to trigger the vulnerabiliy.

The hit on July 16th originated from 172.174.82.132. This IP address appears to be owned by Microsoft.

Microsoft Advisory:

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Eye Security Blog:

https://research.eye.security/sharepoint-under-siege/

 



Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

Twitter|

Source link

Previous article
Ryzen Z2 Extreme: first glimpse of performance
Next article
Predator: Badlands is the start of the Alien vs. Predator reboot we need
jfsjg
jfsjghttps://nixusy.com
spot_img

Related articles

Cybersecurity

September Patch Tuesday handles 81 CVEs – Sophos News

.Microsoft on Tuesday announced 81 patches affecting 15 product families. Nine of the addressed issues are considered by...
Hardware Releases

Follow This Advice Before Switching to a New iPhone 17

Are you considering getting one of the new iPhone 17 models? While it’s always tempting to unbox a...
Tech Trends & Innovations

Just Look How Bloody Gross Universal’s ‘Terrifier’ Haunted House Is

Damien Leone, the writer and director of the Terrifier film...
Gaming & Graphics

Turtle Beach Unveils New Range Of Officially Licensed Switch 2 Accessories – Controllers, Cases And More

If you're still on the hunt for certain Switch 2 accessories and are looking for alternatives to Nintendo's...

Follow us

Stay informed with NIXusy, your go-to news portal for the latest updates in Business & Economy, Cars, Food, Music, Science, and current events.

Company

Contact Us

(844) 377-7292
support@nixusy.com
929 Malibu Dr, Garland, TX, 75043

Popular news

© 2025 nixusy.com. All Rights Reserved.