{"id":108462,"date":"2025-07-28T03:17:42","date_gmt":"2025-07-28T03:17:42","guid":{"rendered":"https:\/\/x-phy.com\/?p=108462"},"modified":"2025-10-17T05:27:42","modified_gmt":"2025-10-17T05:27:42","slug":"hackers-exploiting-microsoft-flaw-to-attack-governments-businesses","status":"publish","type":"post","link":"https:\/\/x-phy.com\/hackers-exploiting-microsoft-flaw-to-attack-governments-businesses\/","title":{"rendered":"Hackers Exploiting Microsoft Flaw to Attack Governments, Businesses"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">When Microsoft urges its users to download a security update, it usually means two things:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A breach has already happened<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Many more are still vulnerable<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">That\u2019s exactly what happened on July 19, when Microsoft issued an urgent alert about two zero-day vulnerabilities.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At the time of writing:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On July 19 2025, Microsoft issued an urgent alert for two zero-day vulnerabilities affecting on-premises SharePoint servers, now tracked as CVE-2025-53770 and CVE-2025-53771, and collectively dubbed ToolShell. These vulnerabilities do not impact SharePoint Online but pose a severe risk to organizations running on-prem SharePoint instances.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">CVE-2025-53770 enables unauthenticated remote code execution (RCE) by exploiting unsafe deserialization, allowing attackers to gain complete control of compromised servers. It carries a critical CVSS score of 9.8\/10 and is already being actively exploited in global campaigns targeting government, telecom, and software sectors.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">CVE-2025-53771 is a spoofing\/path traversal vulnerability allowing attackers to bypass authentication via improper header validation. When chained with the first vulnerability, it enables the full ToolShell exploit chain.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The ToolShell attack chain has been used to:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Gain access, steal credentials, and in some cases, deploy ransomware<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Extract sensitive cryptographic keys<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use in-memory payloads that evade traditional defenses by avoiding file-based artifacts<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Researchers and Microsoft have identified three active attack clusters using evolving tactics and payloads to avoid detection. Microsoft has released emergency out-of-band patches for SharePoint Subscription Edition and 2019 (with 2016 patches pending).\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Security agencies urged immediate patching, key rotation, and enhanced endpoint monitoring.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In short, ToolShell is an evolving, active, and critical threat to on-prem SharePoint deployments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By the time Microsoft\u2019s alert went out, the first wave of breaches had already begun on July 18, with hackers planting shells that leaked sensitive key material. Even after patching, stolen keys could allow attackers to impersonate legitimate users, making this far more dangerous than a typical \u201cupdate and you\u2019re safe\u201d incident.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In a comment to Security Boulevard, our CEO, Camellia Chan, shared, \u201cNo amount of patching or perimeter defense can guarantee safety when trust assumptions are baked into software architecture. Organizations need to embed protection directly in hardware to close the gap software alone can\u2019t.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Cybersecurity agencies in the U.S., Canada, and Australia warned that this is not a \u201cpatch-and-forget\u201d problem.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Experts recommend:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Patch immediately, but never assume you\u2019re safe<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Investigate for compromise both before and after updates<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Harden defenses with zero-trust, hardware-level protections that detect and block threats in real time<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The ToolShell campaign is a wake-up call for anyone running exposed on-premises systems.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Read the full article on Security Boulevard here: <\/span><a href=\"https:\/\/securityboulevard.com\/2025\/07\/hackers-exploiting-microsoft-flaw-to-attack-governments-businesses\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/securityboulevard.com\/2025\/07\/hackers-exploiting-microsoft-flaw-to-attack-governments-businesses\/<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">To learn more about how our solutions can support your cybersecurity strategy, drop us a message at <\/span><a href=\"mailto:info@x-phy.com\"><span style=\"font-weight: 400;\">info@x-phy.com<\/span><\/a><span style=\"font-weight: 400;\">, and let\u2019s get started!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When Microsoft urges its users to download a security update, it usually means two things: A breach has already happened Many more are still vulnerable That\u2019s exactly what happened on [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":108463,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[14,15],"tags":[],"class_list":["post-108462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-media","category-trends-and-developments"],"_links":{"self":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/108462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/comments?post=108462"}],"version-history":[{"count":2,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/108462\/revisions"}],"predecessor-version":[{"id":110643,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/108462\/revisions\/110643"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/media\/108463"}],"wp:attachment":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/media?parent=108462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/categories?post=108462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/tags?post=108462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}