Active Global Attacks Targeting On-premises SharePoint Server (CVE-2025-53770)
(msrc.microsoft.com)
from mhewitt@infosec.pub to cybersecurity@infosec.pub on 20 Jul 17:46
https://infosec.pub/post/31758588
from mhewitt@infosec.pub to cybersecurity@infosec.pub on 20 Jul 17:46
https://infosec.pub/post/31758588
IOCs:
- 107.191.58[.]76
- 104.238.159[.]149
- 96.9.125[.]147
- Unusual POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Unusual POSTs to /_layouts/16/ToolPane.aspx?DisplayMode=Edit
- spinstall0.aspx in SharePoint Layouts folders
Vulnerabilities:
- CVE-2025-53770 (new, no patch as of 2025-07-20)
- CVE-2025-49704 (2025-07-08 patch)
- CVE-2025-49706 (2025-07-08 patch)
Only mitigations at this time require both SharePoint AMSI integrations to be enabled and Microsoft Defender in Active mode. Other AV is not confirmed.
Also see
threaded - newest