According to the findings from Check Point Research, the recently disclosed Microsoft SharePoint vulnerability was already being exploited as of July 7, 2025.
The cybersecurity company said its activities were strengthened on July 18 and 19 across the government, communications and software sectors of North America and Western Europe, and the first attempt at exploitation targeting unnamed major Western governments has been observed.
Checkpoint also said the exploitation efforts stem from three different IP addresses (104.238.159).[.]149, 107.191.58[.]76, and 96.9.125[.]147 – One of them was previously linked to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428).
“We are witnessing an urgent and aggressive threat. Important zero-days at SharePointOnPrem are being exploited in the wild, putting thousands of global organizations at risk,” Lotem Finkelstein, director of threat intelligence at Checkpoint Research, told Hacker News.
“Our team has confirmed dozens of compromise attempts across the government, communications and technology sectors since July 7th. We are urged by businesses to update their security systems immediately. The campaign is sophisticated and moves quickly.”
The attack chain is observed utilizing CVE-2025-53770, a newly patched remote code execution flaw in SharePoint Server, CVE-2025-49706.
At this stage it is worth mentioning that SharePoint, which was revealed this month, has two sets of vulnerabilities –
CVE-2025-49704 (CVSS score: 8.8) – Microsoft SharePoint Remote Code Execution Vulnerability (fixed July 8, 2025) CVE-2025-49706 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability (July 8, 2025, CVE-2025-53770) Microsoft SharePoint Server Remote Code Execution Vulnerability CVE-2025-53771 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability
CVE-2025-49704 and CVE-2025-49706 are all called toolshells and are exploitation chains that lead to remote code execution on SharePoint Server instances. They were originally disclosed by Viettel Cyber Security during the PWN2 owner’s hacking competition in early May of this year at the 2025 hacking competition.
The CVE-2025-53770 and CVE-2025-53771, revealed over the weekend, are described as variations of CVE-2025-49704 and CVE-2025-49706, respectively, indicating that they are bypasses of the original fixes that Microsoft placed earlier this year.
This is evidenced by the fact that Microsoft has admitted active attacks that take advantage of “vulnerabilities that were partially addressed in the July security update.” The company also recommended that updates for CVE-2025-53770 and CVE-2025-53771 include “more robust protection” than updates for CVE-2025-49704 and CVE-2025-49706. However, CVE-2025-53771 notes that it has not been flagged by Redmond as being actively exploited in the wild.
“CVE-2025-53770 takes advantage of the weakness of how Microsoft SharePoint Server handles degassing untrusted data.” “Attackers are leveraging this flaw to gain uncertified remote code execution.”
This is achieved by deploying a malicious ASP.NET web shell that programmatically extracts sensitive encryption keys. These stolen keys are then leveraged to create and sign malicious __ViewState payloads, thereby establishing permanent access and allowing the execution of any commands on the SharePoint server.
According to Bitdefender Telemetry, wild exploitation has been detected in the United States, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland and the Netherlands, suggesting widespread abuse of flaws.
Palo Alto Networks Unit 42 said in its campaign’s own analysis that commands have been observed running to run Base64 encoded PowerShell commands.
“The spininstall0.aspx file is a web shell that allows you to run various functions to get the validation key, decryptionkeys, and server compatibility modes, and the server compatibility mode required to build the viewstate encryption key.”
Contents of spininstall0.aspx
In an advisory issued Monday, Sentinelone first detected exploitation on July 17, with cybersecurity companies identifying three “clear attack clusters” and three “clear attack clusters” including threat actitas lined up in the state.
Campaign goals include technology consulting, manufacturing, critical infrastructure, and specialized services related to sensitive architecture and engineering organizations.
“The initial targets suggest that the activity is initially carefully selective and targeted organizations with strategic value or rise,” said researchers Simon Kenin, Jim Walter, and Tom Hegel.
An analysis of attack activity revealed the use of a password-protected ASPX web shell (“xxx.aspx”) at 9:58am GMT on July 18, 2025. The Web Shell supports three functions: authentication via built-in forms, command execution via CMD.EXE, and file upload.
Subsequent exploitation efforts are known to use the “Spinstall0.aspx” web shell to extract and publish sensitive encryption materials from the host.
Spinstall0.aspx “is not a traditional command web shell, it’s the usefulness of reconnaissance and persistence,” the researchers explained. “This code extracts and prints the MachineKey value of the host, including the verification key, DecryptionKey, and encryption mode settings. This is important information for attackers trying to maintain persistent access across a load-balanced SharePoint environment.
Unlike other web shells that are normally dropped on servers exposed to the Internet to facilitate remote access, Spinstall0.aspx appears to be designed with the sole intention of collecting cryptographic secrets that can be used to create authentication or session tokens across SharePoint instances.
These attacks begin with a specially created HTTP POST request to an accessible SharePoint server that attempts to write Spinstall0.aspx via PowerShell for each cloud strike. The company said it blocked hundreds of exploitative attempts in more than 160 customer environments.
Sentinelone has discovered a cluster called “No Shell,” which is called a “more advanced and stealthy approach” by choosing to run a .NET module in memory without dropping payloads on disk. Activity occurred from IP address 96.9.125[.]147.
“This approach significantly complicates detection and forensic recovery, highlighting the threat posed by post-explosion techniques,” the company said it was either “the work of skilled red team emulation exercises or the work of competent threat actors focusing on evasive access and qualification harvesting.”
The Google-owned Mandiant is attributed to an early explosion into a hacking group alongside China, but it is currently unknown whether it is behind the attack activity.
Censys data shows that there are 9,762 on-premises SharePoint servers online, but it is currently unknown whether all of them are susceptible to defects. Given that SharePoint servers are advantageous targets for threat actors due to the nature of the sensitive organizational data stored in them, it is essential that users move quickly to apply fixed, rotate keys, and restart instances.
“At least one of the people responsible for early exploitation rated the actors of China and Nexus threats,” Google Cloud’s Mandiant Consulting, CTO and CTO Charles Carmakal said in a LinkedIn post. “We recognize victims from several sectors and global regions. This activity mainly involves theft of machine key materials that can be used to access the victim environment after patching has been applied.”
Source link
