All news with #zero-day tag

ToolShell SharePoint Vulnerabilities and Ongoing Exploitation

🔔 Unit 42 reports active exploitation of multiple on‑premises SharePoint vulnerabilities collectively dubbed ToolShell, enabling unauthenticated remote code execution, authentication bypass, and path traversal. Activity observed from mid‑July 2025 includes web shell deployment, theft of ASP.NET MachineKeys and ViewState material, and delivery of the 4L4MD4R ransomware in at least one chain. Organizations with internet‑exposed SharePoint servers should assume potential compromise and follow containment, patching, cryptographic rotation, and incident response guidance immediately.

July 2025 Cybersecurity Roundup: Key Incidents and Risks

🛡️ In July 2025, ESET Chief Security Evangelist Tony Anscombe highlighted major cybersecurity incidents, including exploitation of ToolShell zero‑day vulnerabilities in on‑premises Microsoft SharePoint and the confirmed return of Lumma Stealer. Other critical stories included a ransomware attack that closed UK transport firm KNP, a massive data exposure in McDonald's hiring chatbot McHire, and the discovery of PerfektBlue Bluetooth flaws affecting vehicles. The UK also proposed banning ransom payments by public bodies.

SharePoint under fire: ToolShell zero-day attacks worldwide

🛡️ ESET's research details active exploitation of two zero-day vulnerabilities—CVE-2025-53770 and CVE-2025-53771—against on-premises Microsoft SharePoint servers in a campaign dubbed ToolShell. The company reports global impact, with the United States responsible for 13.3% of observed attacks. Organizations should immediately prioritize patching affected servers, apply vendor mitigations, tighten access controls and monitoring, and review logs for indicators of compromise. Watch the accompanying video featuring ESET Chief Security Evangelist Tony Anscombe and consult the full blogpost for technical detail.

ToolShell SharePoint Zero-Days Exploited in the Wild

🔒 Microsoft and ESET reported active exploitation of a SharePoint Server vulnerability cluster called ToolShell, comprising CVE-2025-53770 (remote code execution) and CVE-2025-53771 (server spoofing). Attacks began on July 17, 2025, and target on-prem SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016; SharePoint Online is not affected. Operators deployed webshells — notably spinstall0.aspx (detected as MSIL/Webshell.JS) and several ghostfile*.aspx samples — to bypass MFA/SSO, exfiltrate data and move laterally across integrated Microsoft services. Microsoft and ESET confirmed patches were released on July 22, and ESET published IoCs and telemetry to assist defenders.

Customer Guidance for SharePoint CVE-2025-53770 Patch

🔒 Microsoft warns of active attacks against on-premises SharePoint Server and has issued security updates that fully remediate CVE-2025-53770 and CVE-2025-53771 for supported versions. Customers should apply the published updates immediately, enable AMSI with HTTP request body scanning where available, and deploy endpoint protections such as Microsoft Defender for Endpoint. After patching, rotate ASP.NET machine keys and restart IIS to complete mitigation; SharePoint Online is not affected.

A Summer of Security: Empowering Defenders with AI

🛡️ Google outlines summer cybersecurity advances that combine agentic AI, platform improvements, and public-private partnerships to strengthen defenders. Big Sleep—an agent from DeepMind and Project Zero—has discovered multiple real-world vulnerabilities, most recently an SQLite flaw (CVE-2025-6965) informed by Google Threat Intelligence, helping prevent imminent exploitation. The company emphasizes safe deployment, human oversight, and standard disclosure while extending tools like Timesketch (now augmented with Sec‑Gemini agents) and showcasing internal systems such as FACADE at Black Hat and DEF CON collaborations.