OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
AI Analysis
Technical Summary
The identified security threat pertains to a remote code execution (RCE) vulnerability in Microsoft SharePoint Server, designated as CVE-2025-53770. SharePoint Server is a widely used enterprise collaboration and document management platform that often hosts sensitive organizational data and integrates with various internal and external systems. This vulnerability allows an attacker to execute arbitrary code remotely on a vulnerable SharePoint server instance. The attack vector is through exploitation of a public-facing application, aligning with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1133 (External Remote Services). The presence of the 'sharpyshell' tool tag suggests that exploit code or payload delivery mechanisms might be associated with this vulnerability, potentially facilitating exploitation. Although no patch is currently available and no confirmed exploits in the wild have been reported, the vulnerability is rated as high severity, indicating significant risk. The certainty of the OSINT report is moderate (50%), implying that while the vulnerability is credible, some details may still be emerging. The lack of affected versions specified means that organizations running any version of SharePoint Server should consider themselves potentially vulnerable until further clarification is provided. The vulnerability could allow attackers to gain unauthorized access, execute malicious code, and potentially compromise the confidentiality, integrity, and availability of organizational data and services hosted on SharePoint servers.
Potential Impact
For European organizations, the impact of this vulnerability could be substantial. SharePoint Server is extensively deployed across various sectors including government, finance, healthcare, and large enterprises within Europe. Successful exploitation could lead to unauthorized data access, data exfiltration, disruption of collaboration services, and lateral movement within corporate networks. This could result in operational downtime, loss of sensitive intellectual property, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Given the critical role SharePoint plays in document management and internal communications, an RCE vulnerability could also be leveraged to deploy ransomware or other persistent threats. The absence of a patch increases the urgency for organizations to implement interim protective measures. Additionally, the moderate certainty level suggests that organizations should monitor for further intelligence updates and be prepared for potential exploitation attempts.
Mitigation Recommendations
In the absence of an official patch, European organizations should adopt a multi-layered defense approach. First, restrict external access to SharePoint servers by implementing strict network segmentation and firewall rules, limiting exposure to only trusted IP addresses or VPN connections. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting SharePoint endpoints. Conduct thorough logging and monitoring of SharePoint server activity to identify anomalous behaviors indicative of exploitation attempts, such as unusual code execution or privilege escalations. Regularly update and harden the underlying operating system and dependent services to reduce the attack surface. Organizations should also review and minimize permissions assigned to SharePoint service accounts to limit the impact of a potential compromise. Implement robust incident response plans tailored to SharePoint-related incidents, including rapid isolation and forensic analysis capabilities. Finally, maintain close communication with Microsoft and cybersecurity communities for timely updates on patches or exploit disclosures and prepare to deploy patches immediately upon release.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- vulnerability: CVE-2025-53770
- vulnerability: CVE-2025-49704
- vulnerability: CVE-2025-53771
- vulnerability: CVE-2025-49706
- ip: 134.199.202.205
- ip: 104.238.159.149
- ip: 188.130.206.168
- ip: 131.226.2.6
- url: c34718cbb4c6.ngrok-free.app/file.ps1
- hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49706
- vulnerability: CVE-2025-49706
- datetime: 2025-07-08T16:58:07.343000+00:00
- datetime: 2025-07-23T03:55:22.461000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
- link: https://vulnerability.circl.lu/vuln/CVE-2025-53771
- vulnerability: CVE-2025-53771
- datetime: 2025-07-20T22:16:52.203000+00:00
- datetime: 2025-07-22T21:03:27.322000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49704
- vulnerability: CVE-2025-49704
- datetime: 2025-07-08T16:58:05.908000+00:00
- datetime: 2025-07-22T21:04:05.006000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49704
- vulnerability: CVE-2025-49704
- datetime: 2025-07-08T16:58:05.908000+00:00
- datetime: 2025-07-22T21:04:05.006000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- link: https://vulnerability.circl.lu/vuln/CVE-2025-53770
- vulnerability: CVE-2025-53770
- datetime: 2025-07-20T01:06:33.607000+00:00
- datetime: 2025-07-23T03:55:21.046000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- text: \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js
- file: debug_dev.js
- text: Malicious
- file: Spinstall0.aspx
- text: Sentinel Advanced Security Information Model
- text: //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]); let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
- text: Sentinel Advanced Security Information Model
- text: //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]); let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
- text: Sentinel Advanced Security Information Model
- text: // file hash list - imFileEvent let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0]) | extend AlgorithmType = "SHA256"
- text: Microsoft Defender XDR
- text: DeviceFileEvents | where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS") | where FileName contains "spinstall" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc
- text: Microsoft Defender XDR
- text: DeviceProcessEvents | where InitiatingProcessFileName has "w3wp.exe" and InitiatingProcessCommandLine !has "DefaultAppPool" and FileName =~ "cmd.exe" and ProcessCommandLine has_all ("cmd.exe", "powershell") and ProcessCommandLine has_any ("EncodedCommand", "-ec") | extend CommandArguments = split(ProcessCommandLine, " ") | mv-expand CommandArguments to typeof(string) | where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$" | extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments))) | where B64Decode contains "spinstall", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS')
- text: Microsoft Defender XDR
- text: DeviceFileEvents | where Timestamp >ago(7d) | where InitiatingProcessFileName=~"powershell.exe" | where FileName contains "spinstall"
- text: Microsoft Defender XDR
- text: AlertEvidence | where Timestamp > ago(7d) | where Title has "SuspSignoutReq" | extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"") | summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )
- text: Microsoft Defender XDR
- text: DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771")
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
Description
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
AI-Powered Analysis
Technical Analysis
The identified security threat pertains to a remote code execution (RCE) vulnerability in Microsoft SharePoint Server, designated as CVE-2025-53770. SharePoint Server is a widely used enterprise collaboration and document management platform that often hosts sensitive organizational data and integrates with various internal and external systems. This vulnerability allows an attacker to execute arbitrary code remotely on a vulnerable SharePoint server instance. The attack vector is through exploitation of a public-facing application, aligning with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1133 (External Remote Services). The presence of the 'sharpyshell' tool tag suggests that exploit code or payload delivery mechanisms might be associated with this vulnerability, potentially facilitating exploitation. Although no patch is currently available and no confirmed exploits in the wild have been reported, the vulnerability is rated as high severity, indicating significant risk. The certainty of the OSINT report is moderate (50%), implying that while the vulnerability is credible, some details may still be emerging. The lack of affected versions specified means that organizations running any version of SharePoint Server should consider themselves potentially vulnerable until further clarification is provided. The vulnerability could allow attackers to gain unauthorized access, execute malicious code, and potentially compromise the confidentiality, integrity, and availability of organizational data and services hosted on SharePoint servers.
Potential Impact
For European organizations, the impact of this vulnerability could be substantial. SharePoint Server is extensively deployed across various sectors including government, finance, healthcare, and large enterprises within Europe. Successful exploitation could lead to unauthorized data access, data exfiltration, disruption of collaboration services, and lateral movement within corporate networks. This could result in operational downtime, loss of sensitive intellectual property, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Given the critical role SharePoint plays in document management and internal communications, an RCE vulnerability could also be leveraged to deploy ransomware or other persistent threats. The absence of a patch increases the urgency for organizations to implement interim protective measures. Additionally, the moderate certainty level suggests that organizations should monitor for further intelligence updates and be prepared for potential exploitation attempts.
Mitigation Recommendations
In the absence of an official patch, European organizations should adopt a multi-layered defense approach. First, restrict external access to SharePoint servers by implementing strict network segmentation and firewall rules, limiting exposure to only trusted IP addresses or VPN connections. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting SharePoint endpoints. Conduct thorough logging and monitoring of SharePoint server activity to identify anomalous behaviors indicative of exploitation attempts, such as unusual code execution or privilege escalations. Regularly update and harden the underlying operating system and dependent services to reduce the attack surface. Organizations should also review and minimize permissions assigned to SharePoint service accounts to limit the impact of a potential compromise. Implement robust incident response plans tailored to SharePoint-related incidents, including rapid isolation and forensic analysis capabilities. Finally, maintain close communication with Microsoft and cybersecurity communities for timely updates on patches or exploit disclosures and prepare to deploy patches immediately upon release.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 59ed4725-5f2a-4844-8dc4-e6926dbcb5ce
- Original Timestamp
- 1753257959
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2025-53770 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-53771 | — | |
vulnerabilityCVE-2025-49706 | — | |
vulnerabilityCVE-2025-49706 | — | |
vulnerabilityCVE-2025-53771 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-53770 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip134.199.202.205 | IP address exploiting SharePoint vulnerabilities | |
ip104.238.159.149 | IP address exploiting SharePoint vulnerabilities | |
ip188.130.206.168 | IP address exploiting SharePoint vulnerabilities | |
ip131.226.2.6 | Post exploitation C2 |
Url
| Value | Description | Copy |
|---|---|---|
urlc34718cbb4c6.ngrok-free.app/file.ps1 | Ngrok tunnel delivering PowerShell to C2 |
Hash
| Value | Description | Copy |
|---|---|---|
hash92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | Hash of spinstall0.aspx |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49706 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-53771 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49704 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49704 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-53770 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2025-07-08T16:58:07.343000+00:00 | — | |
datetime2025-07-23T03:55:22.461000+00:00 | — | |
datetime2025-07-20T22:16:52.203000+00:00 | — | |
datetime2025-07-22T21:03:27.322000+00:00 | — | |
datetime2025-07-08T16:58:05.908000+00:00 | — | |
datetime2025-07-22T21:04:05.006000+00:00 | — | |
datetime2025-07-08T16:58:05.908000+00:00 | — | |
datetime2025-07-22T21:04:05.006000+00:00 | — | |
datetime2025-07-20T01:06:33.607000+00:00 | — | |
datetime2025-07-23T03:55:21.046000+00:00 | — |
Text
| Value | Description | Copy |
|---|---|---|
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
text\1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js | — | |
textMalicious | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor | — | |
textSentinel Advanced Security Information Model | — | |
text// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256" | — | |
textMicrosoft Defender XDR | — | |
textDeviceFileEvents
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS")
| where FileName contains "spinstall"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc | — | |
textMicrosoft Defender XDR | — | |
textDeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode contains "spinstall", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS') | — | |
textMicrosoft Defender XDR | — | |
textDeviceFileEvents
| where Timestamp >ago(7d)
| where InitiatingProcessFileName=~"powershell.exe"
| where FileName contains "spinstall" | — | |
textMicrosoft Defender XDR | — | |
textAlertEvidence
| where Timestamp > ago(7d)
| where Title has "SuspSignoutReq"
| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"")
| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) ) | — | |
textMicrosoft Defender XDR | — | |
textDeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771") | — |
File
| Value | Description | Copy |
|---|---|---|
filedebug_dev.js | File containing web config data, including MachineKey data | |
fileSpinstall0.aspx | Web shell used by threat actors Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx |
Threat ID: 6880a8adad5a09ad002321f1
Added to database: 7/23/2025, 9:17:33 AM
Last enriched: 8/17/2025, 1:10:47 AM
Last updated: 9/6/2025, 10:25:16 PM
Views: 62
Related Threats
ThreatFox IOCs for 2025-09-06
MediumCVE-2025-9961: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in TP-Link Systems Inc. AX10 V1/V1.2/V2/V2.6/V3/V3.6
HighCVE-2025-10034: Buffer Overflow in D-Link DIR-825
HighCVE-2025-0032: CWE-459 Incomplete Cleanup in AMD AMD EPYCâ„¢ 9005 Series Processors
HighCVE-2025-7040: CWE-862 Missing Authorization in cloudinfrastructureservices Cloud SAML SSO – Single Sign On Login
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.