{"id":1508,"date":"2025-07-21T14:54:36","date_gmt":"2025-07-21T14:54:36","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/07\/21\/microsoft-attackers-actively-compromising-on-prem-sharepoint-customers\/"},"modified":"2025-07-21T14:54:36","modified_gmt":"2025-07-21T14:54:36","slug":"microsoft-attackers-actively-compromising-on-prem-sharepoint-customers","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/21\/microsoft-attackers-actively-compromising-on-prem-sharepoint-customers\/","title":{"rendered":"Microsoft: Attackers Actively Compromising On-Prem SharePoint Customers"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/32483240-27a8-4f36-ac60-9d465c05a5d5.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of James Coker\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Microsoft has warned that attackers are actively exploiting SharePoint vulnerabilities in a high-impact, ongoing campaign impacting critical sectors like government and healthcare. \u00a0<\/p>\n<p>The campaign is putting critical systems and data at high risk of compromise for those with SharePoint on-premises servers.<\/p>\n<p>Threat actors have already been observed installing web shells and exfiltrating cryptographic secrets from victim servers, according to an analysis by Google Threat Intelligence Group.<\/p>\n<p>In an update on July 19, Microsoft urged on-premises SharePoint Server customers to take immediate action to mitigate two vulnerabilities that were only partially addressed in July 2025\u2019s Patch Tuesday.<\/p>\n<p>These are CVE-2025-53770, a critical vulnerability with a CVSS score of 9.8 which allows an unauthorized attacker to execute code over a network. This flaw is also referred to as \u2018ToolShell\u2019 by cybersecurity experts.<\/p>\n<p>The other is CVE-2025-53771, rated important with a CVSS score of 6.3, which allows an authorized attacker to perform spoofing over a network.<\/p>\n<h2><strong>SharePoint Customers Should Assume Compromise <\/strong><\/h2>\n<p>Those with SharePoint on-premises servers exposed to the internet have been told to assume compromise.<\/p>\n<p>Immediate action, beyond applying any patches, has been advised. This includes \u00a0rotating cryptographic material and engaging professional incident response.<\/p>\n<p>Additionally, the Windows Antimalware Scan Interface (AMSI) integration in SharePoint should be configured and those affected should deploy Defender AV or another EDR solution.<\/p>\n<p>Customers should also consider disconnecting Microsoft SharePoint from the internet until a patch is available.<\/p>\n<p>Organizations that have already applied a patch should investigate whether their system was compromised prior to the fix.<\/p>\n<p>The vulnerabilities only impact on-prem SharePoint deployments and SharePoint Online in Microsoft 365 environments remain unaffected.<\/p>\n<h2><strong>High Severity Threat Bypassing Identity Controls<\/strong><\/h2>\n<p>Michael Sikorski, CTO and Head of Threat Intelligence at Palo Alto Network\u2019s Unit 42 team, which is working with Microsoft to track the active campaign, warned that critical systems in government, schools, healthcare and large enterprise companies are at immediate risk of compromise.<\/p>\n<p>\u201cAttackers are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they\u2019re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold,\u201d he noted.<\/p>\n<p>Sikorski also highlighted SharePoint\u2019s deep integration with other Microsoft services such as Office, Teams, OneDrive and Outlook, all of which contain valuable information which is lucrative to attackers.<\/p>\n<p>\u201cA compromise doesn\u2019t stay contained \u2013 it opens the door to the entire network,\u201d he added.<\/p>\n<p>WatchTowr CEO Benjamin Harris noted that attackers appear to be taking a more sophisticated route than usual, deploying a backdoor that retrieves SharePoint\u2019s internal cryptographic keys.<\/p>\n<p>This includes the MachineKey used to secure the _VIEWSTATE parameter, a core mechanism in ASP.NET that stores state information between requests.<\/p>\n<p>\u201cWith these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid \u2013 enabling seamless remote code execution. This approach makes remediation particularly difficult \u2013 a typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch,\u201d Harris commented.<\/p>\n<p>In a blog post published on July 19, Dutch security firm Eye Security revealed it first identified exploitation in the wild of the two vulnerabilities on July 18.\u00a0<\/p>\n<p>It found that dozens of systems were actively compromised during two waves of on July 18 at around 18:00 UTC and July 19 at around 07:30 UTC.<\/p>\n<h2><strong>Partial Fixes Available<\/strong><\/h2>\n<p>Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770 and CVE-2025-53771. Customers using these versions should apply the patches immediately.<\/p>\n<p>However, no patches are available yet for supported versions of SharePoint 2016.<\/p>\n<p>Microsoft is expected to release an emergency out-of-cycle patch due to the broad exploitation currently underway.<\/p>\n<p><em>Image credit: Tada Images \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has warned that attackers are actively exploiting SharePoint vulnerabilities in a high-impact, ongoing campaign impacting critical sectors like government and healthcare. \u00a0 The campaign is putting critical systems and data at high risk of compromise for those with SharePoint on-premises servers. Threat actors have already been observed installing web shells and exfiltrating cryptographic secrets<\/p>\n","protected":false},"author":2,"featured_media":1509,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1508-8b8fba17-3a98-4499-9d4d-f2c7e1144709-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1508"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1509"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1508"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}