All news with #sharepoint tag

SharePoint Flaws Led to Breach at Kansas City Nuclear Plant

🔒 A foreign threat actor exploited unpatched Microsoft SharePoint vulnerabilities to infiltrate the Kansas City National Security Campus (KCNSC), which produces most non‑nuclear components for U.S. nuclear weapons. Honeywell FM&T, which manages the site for the NNSA, and the Department of Energy did not respond to requests for comment. Federal responders, including the NSA, were onsite in early August after Microsoft issued fixes on July 19. Attribution remains disputed between Chinese-linked groups and possible Russian actors; there is no public evidence that classified information was taken.

Microsoft 365: Why Its Dominance Creates Major Risk

🔒 Microsoft 365 has become the central nervous system of modern business, and its market dominance has turned the platform into a lucrative target for attackers. With over 400 million paid seats and tightly integrated apps like Outlook, SharePoint, Teams and OneDrive, a single compromise can cascade across services. Organizations must close backup gaps, adopt zero trust, enforce MFA and deploy cross-application threat detection to reduce catastrophic exposure.

Microsoft restricts Chinese firms' early MAPP exploit access

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

Project AK47 Linked to SharePoint ToolShell Exploits

🔍Unit 42 links a modular malware suite dubbed Project AK47 to SharePoint exploitation activity observed alongside Microsoft’s ToolShell reporting. The toolset includes a dual-protocol backdoor (AK47C2 with dnsclient and httpclient), a ransomware family (AK47 / X2ANYLOCK), and DLL side‑loading loaders. Analysts found high-confidence overlaps with Microsoft’s Storm-2603 indicators, evidence of LockBit 3.0 artifacts in an evidence archive, and a matching Tox ID on a Warlock leak site. Recommended actions include applying patches for the referenced SharePoint CVEs and enabling updated protections from endpoint, URL, and DNS defenses.

ToolShell SharePoint Vulnerabilities and Ongoing Exploitation

🔔 Unit 42 reports active exploitation of multiple on‑premises SharePoint vulnerabilities collectively dubbed ToolShell, enabling unauthenticated remote code execution, authentication bypass, and path traversal. Activity observed from mid‑July 2025 includes web shell deployment, theft of ASP.NET MachineKeys and ViewState material, and delivery of the 4L4MD4R ransomware in at least one chain. Organizations with internet‑exposed SharePoint servers should assume potential compromise and follow containment, patching, cryptographic rotation, and incident response guidance immediately.

SharePoint under fire: ToolShell zero-day attacks worldwide

🛡️ ESET's research details active exploitation of two zero-day vulnerabilities—CVE-2025-53770 and CVE-2025-53771—against on-premises Microsoft SharePoint servers in a campaign dubbed ToolShell. The company reports global impact, with the United States responsible for 13.3% of observed attacks. Organizations should immediately prioritize patching affected servers, apply vendor mitigations, tighten access controls and monitoring, and review logs for indicators of compromise. Watch the accompanying video featuring ESET Chief Security Evangelist Tony Anscombe and consult the full blogpost for technical detail.

ToolShell SharePoint Zero-Days Exploited in the Wild

🔒 Microsoft and ESET reported active exploitation of a SharePoint Server vulnerability cluster called ToolShell, comprising CVE-2025-53770 (remote code execution) and CVE-2025-53771 (server spoofing). Attacks began on July 17, 2025, and target on-prem SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016; SharePoint Online is not affected. Operators deployed webshells — notably spinstall0.aspx (detected as MSIL/Webshell.JS) and several ghostfile*.aspx samples — to bypass MFA/SSO, exfiltrate data and move laterally across integrated Microsoft services. Microsoft and ESET confirmed patches were released on July 22, and ESET published IoCs and telemetry to assist defenders.

Customer Guidance for SharePoint CVE-2025-53770 Patch

🔒 Microsoft warns of active attacks against on-premises SharePoint Server and has issued security updates that fully remediate CVE-2025-53770 and CVE-2025-53771 for supported versions. Customers should apply the published updates immediately, enable AMSI with HTTP request body scanning where available, and deploy endpoint protections such as Microsoft Defender for Endpoint. After patching, rotate ASP.NET machine keys and restart IIS to complete mitigation; SharePoint Online is not affected.