Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access - The Hacker News

Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access Ravie LakshmananJul 22, 2025Vulnerability / Threat Intelligence The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428). "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk," Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, told The Hacker News. "Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7. We strongly urge enterprises to update their security systems immediately – this campaign is both sophisticated and fast-moving." The attack chains have been observed leveraging CVE-2025-53770, a newly patched remote code execution flaw in SharePoint Server, and chaining it with CVE-2025-49706, a spoofing vulnerability that was patched by Microsoft as part of its July 2025 Patch Tuesday update, to gain initial access and escalate privileges. It's worth mentioning at this stage that there are two sets of vulnerabilities in SharePoint that have come to light this month - CVE-2025-49704 (CVSS score: 8.8) - Microsoft SharePoint Remote Code Execution Vulnerability (Fixed on July 8, 2025) CVE-2025-49706 (CVSS score: 6.5) - Microsoft SharePoint Server Spoofing Vulnerability (Fixed on July 8, 2025) CVE-2025-53770 (CVSS score: 9.8) - Microsoft SharePoint Server Remote Code Execution Vulnerability CVE-2025-53771 (CVSS score: 6.5) - Microsoft SharePoint Server Spoofing Vulnerability CVE-2025-49704 and CVE-2025-49706, collectively referred to as ToolShell, is an exploitation chain that can lead to remote code execution on SharePoint Server instances. They were originally disclosed by Viettel Cyber Security during the Pwn2Own 2025 hacking competition earlier this May. CVE-2025-53770 and CVE-2025-53771, which became public knowledge over the weekend, have been described as variants of CVE-2025-49704 and CVE-2025-49706, respectively, indicating that they are bypasses for the original fixes put in place by Microsoft earlier this month. This is evidenced by the fact that Microsoft acknowledged active attacks exploiting "vulnerabilities partially addressed by the July Security Update." The company also noted in its advisories that the updates for CVE-2025-53770 and CVE-2025-53771 include "more robust protections" than the updates for CVE-2025-49704 and CVE-2025-49706. However, it bears noting that CVE-2025-53771 has not been flagged by Redmond as actively exploited in the wild. "CVE-2025-53770 exploits a weakness in how Microsoft SharePoint Server handles the deserialization of untrusted data," Martin Zugec, technical solutions director at Bitdefender, said. "Attackers are leveraging this flaw to gain unauthenticated remote code execution." This, in turn, is achieved by deploying malicious ASP.NET web shells that programmatically extract sensitive cryptographic keys. These stolen keys are subsequently leveraged to craft and sign malicious __VIEWSTATE payloads, thereby establishing persistent access and enabling the execution of arbitrary commands on SharePoint Server. According to Bitdefender telemetry, in-the-wild exploitation has been detected in the United States, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland, and the Netherlands, suggesting widespread abuse of the flaw. Palo Alto Networks Unit 42, in its own analysis of the campaign, said it observed commands being run to execute a Base64-encoded PowerShell command, which creates a file at the location "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx" and then parses its content. "The spinstall0.aspx file is a web shell that can execute various functions to retrieve ValidationKeys, DecryptionKeys, and the CompatabilityMode of the server, which are needed to forge ViewState Encryption keys," Unit 42 said in a threat brief. Content of spinstall0.aspx In an advisory issued Monday, SentinelOne said it first detected exploitation on July 17, with the cybersecurity company identifying three "distinct attack clusters," including state-aligned threat actors, engaging in reconnaissance and early-stage exploitation activities. Targets of the campaigns include technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations. "The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access," researchers Simon Kenin, Jim Walter, and Tom Hegel said. Analysis of the attack activity has revealed the use of a password-protected ASPX web shell ("xxx.aspx") on July 18, 2025, at 9:58 a.m. GMT. The web shell supports three functions: Authentication via an embedded form, command execution via cmd.exe, and file upload. Subsequent exploitation efforts have been found to employ the "spinstall0.aspx" web shell to extract and expose sensitive cryptographic material from the host.  Spinstall0.aspx is "not a traditional command web shell but rather a reconnaissance and persistence utility," the researchers explained. "This code extracts and prints the host's MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings -- information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens." Unlike other web shells that are typically dropped on internet-exposed servers to facilitate remote access, spinstall0.aspx appears to be designed with the sole intention of gathering cryptographic secrets that could then be used to forge authentication or session tokens across SharePoint instances. These attacks, per CrowdStrike, commence with a specially crafted HTTP POST request to an accessible SharePoint server via the "/_layouts/15/ToolPane.aspx" endpoint that attempts to write spinstall0.aspx via PowerShell. The company said it blocked hundreds of exploitation attempts across more than 160 customer environments. SentinelOne also discovered a cluster dubbed "no shell" that took a "more advanced and stealthy approach" to other threat actors by opting for in-memory .NET module execution without dropping any payloads on disk. The activity originated from the IP address 96.9.125[.]147. "This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques," the company said, positing that it's either a "skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting." It's currently not known who is behind the attack activity, although Google-owned Mandiant has attributed the early-exploitation to a China-aligned hacking group. Data from Censys shows that there are 9,762 on-premises SharePoint servers online, although it's currently not known if all of them are susceptible to the flaws. Given that SharePoint servers are a lucrative target for threat actors due to the nature of sensitive organizational data stored in them, it's essential that users move quickly to apply the fixes, rotate the keys, and restart the instances. "We assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor," Charles Carmakal, CTO, Mandiant Consulting at Google Cloud, said in a post on LinkedIn. "We're aware of victims in several sectors and global geographies. The activity primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied." (The story was updated after publication on July 23, 2025, to reflect the change in CVSS scores.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, Chinese Hackers, cybersecurity, Malware, Microsoft, network security, remote code execution, SharePoint, Threat Intelligence, Vulnerability, zero-day Trending News New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps