Today’s Topics:
- CVE-2025-53770: Critical SharePoint Zero-Day Exploited in Active Attacks, 85+ Servers Compromised
- Dell Confirms Breach of Product Demo Lab by World Leaks Extortion Group
- How can Netizen help?
CVE-2025-53770: Critical SharePoint Zero-Day Exploited in Active Attacks, 85+ Servers Compromised
A critical zero-day vulnerability in Microsoft SharePoint Server, now tracked as CVE-2025-53770 and assigned a CVSS score of 9.8, is being exploited in ongoing large-scale attacks that have already breached at least 85 SharePoint servers worldwide.
CVE-2025-53770 is a variant of CVE-2025-49704, a previously patched remote code execution (RCE) vulnerability in SharePoint. The flaw stems from insecure deserialization of untrusted data, allowing attackers to execute code over the network without authentication.
Discovered by Viettel Cyber Security and reported through Trend Micro’s Zero Day Initiative (ZDI), the vulnerability affects on-premises SharePoint Servers but does not impact SharePoint Online in Microsoft 365.
According to Microsoft, attackers are exploiting the way SharePoint deserializes untrusted objects, enabling them to execute arbitrary commands before any authentication occurs. Once inside, they can extract the server’s MachineKey configuration, specifically the ValidationKey and DecryptionKey, using PowerShell scripts.
These keys allow attackers to craft forged __VIEWSTATE payloads that SharePoint treats as valid, effectively granting persistent access and enabling seamless remote code execution. This persistence is extremely difficult to remove, even after patching, unless the cryptographic keys are rotated.
Compromised servers appear to blend malicious activity into normal SharePoint operations, allowing attackers to move laterally and remain undetected unless organizations have deep endpoint monitoring in place—such as Defender for Endpoint or other EDR tools.
Security researchers at Eye Security and Palo Alto Networks’ Unit 42 have observed attackers chaining CVE-2025-49704 with CVE-2025-49706—a spoofing vulnerability related to how SharePoint handles HTTP Referer headers. This exploit chain, codenamed ToolShell, leverages CVE-2025-49706 to deliver a POST payload that ultimately triggers RCE via CVE-2025-49704.
Eye Security suspects that adding the '_layouts/SignOut.aspx' endpoint as a Referer header is the key step that transforms CVE-2025-49706 into CVE-2025-53770. The implication is that CVE-2025-53770 may be functionally similar to or overlap with both CVE-2025-49704 and CVE-2025-49706, making attribution complex.
As of the latest reports, over 85 SharePoint servers have been compromised globally. At least 29 affected organizations span government agencies and multinational corporations. Many compromised systems have been found hosting ASPX-based web shells used to maintain access.
WatchTowr CEO Benjamin Harris explained that with access to the ValidationKey and DecryptionKey, attackers can create arbitrary __VIEWSTATE payloads that are accepted by the server, allowing them to re-enter systems even after a patch is applied, unless the cryptographic secrets are also rotated.
Microsoft acknowledged the vulnerability in a security advisory on July 19, 2025, and urged customers to enable Antimalware Scan Interface (AMSI) integration and install Microsoft Defender Antivirus on SharePoint servers. AMSI integration is enabled by default in the September 2023 security updates for SharePoint Server 2016/2019 and in the 23H2 feature release for the SharePoint Server Subscription Edition.
For organizations unable to enable AMSI, Microsoft recommends disconnecting vulnerable SharePoint servers from the internet until a patch is applied.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a formal alert, confirming the vulnerability’s active exploitation and encouraging immediate defensive action. According to Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA, the agency coordinated with Microsoft and alerted potentially impacted entities.
Microsoft has since released an official patch for CVE-2025-53770, alongside a new related vulnerability, CVE-2025-53771. All organizations running on-premises SharePoint are urged to apply these updates without delay. In parallel, organizations should rotate MachineKey settings to invalidate any secrets that may have been stolen during exploitation.
Security teams are also encouraged to deploy EDR solutions with visibility into SharePoint-specific behavior, monitor for unusual ASPX payload executions, and scan for unauthorized changes to ViewState and authentication mechanisms.
Dell Confirms Breach of Product Demo Lab by World Leaks Extortion Group
Dell Technologies has confirmed that a newly rebranded extortion group, World Leaks, compromised one of its Customer Solution Centers, a test environment used to showcase Dell products and run proof-of-concept trials for commercial clients. While the group appears to be attempting to extort Dell over the incident, the company maintains that no sensitive customer or internal data was compromised.
In a statement to BleepingComputer, Dell explained that the breach was limited to its Solution Center, which operates independently of core production networks and customer-facing systems. According to the company, “a threat actor recently gained access to our Solution Center, an environment designed to demonstrate our products and test proofs-of-concept for Dell’s commercial customers.”
Dell emphasized that the impacted environment is isolated from customer and partner systems and does not play any role in the delivery of services to customers. The company further noted that most of the data housed within the test platform is synthetic or publicly available—including sample datasets, generic medical and financial information, and Dell-internal testing scripts.
The only legitimate data reportedly exposed during the intrusion was an outdated contact list, which Dell characterized as limited in sensitivity. Customers are routinely warned not to upload personal or proprietary data into the Customer Solution Centers, reducing the potential impact of breaches in these environments.
The group behind the breach, World Leaks, is a rebranded version of Hunters International, which itself was flagged as a successor to the notorious Hive ransomware group due to code-level similarities. Originally launched in late 2023 as a ransomware-as-a-service (RaaS) operation, Hunters International pivoted to data extortion after determining that ransomware encryption had become both less profitable and riskier to carry out.
In January 2025, the group formally rebranded to World Leaks, shifting its tactics to focus entirely on data theft and extortion, rather than encrypting victims’ files. According to threat intelligence, they use a custom-built exfiltration tool and maintain a data leak site where stolen information is published as leverage. To date, World Leaks has claimed responsibility for at least 49 data leaks and over 280 total attacks across multiple sectors worldwide.
While World Leaks has not yet listed Dell on its data leak site, its involvement in this breach suggests continued targeting of high-profile technology companies. The attackers have previously been linked to post-compromise activity on end-of-life SonicWall SMA 100 devices, where they deployed a custom OVERSTEP rootkit to maintain persistence and evade detection.
Dell has not disclosed how the attackers gained access to the test environment, citing the ongoing nature of its investigation. Nor has the company confirmed whether it received a ransom demand or engaged with the extortion group.
While this incident did not compromise core systems or sensitive customer data, it serves as a reminder for enterprises to apply zero trust principles not just to operational environments, but also to development, testing, and demonstration platforms. These auxiliary systems often lack the same hardened defenses but can still be targeted as footholds for more advanced attacks.
Organizations should treat demo and lab environments with the same level of scrutiny given to production systems, ensuring network segmentation, proper user authentication, vulnerability management, and telemetry visibility remain in place.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
