OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
AI Analysis
Technical Summary
The reported security threat concerns active exploitation attempts targeting on-premises Microsoft SharePoint installations, identified under CVE-2025-53770. This vulnerability is associated with public-facing SharePoint applications, which are commonly used for enterprise collaboration and document management. The threat actors involved include advanced persistent threat (APT) groups such as APT31, Emissary Panda, and Storm-2603, known for their sophisticated cyber espionage campaigns. The attack techniques align with MITRE ATT&CK patterns including exploitation of public-facing applications (T1190), PowerShell execution (T1059.001), deployment of web shells (T1505.003), reflective code loading (T1620), and automated data collection (T1119). These techniques suggest a multi-stage attack where initial exploitation leads to remote code execution, persistence via web shells, and subsequent data exfiltration or reconnaissance activities. Despite the absence of an available patch, no known exploits have been confirmed in the wild, indicating either early detection or limited exploitation scope. The vulnerability's exploitation does not require user interaction but targets exposed SharePoint servers, which are often internet-accessible, increasing the attack surface. The technical details remain limited, but the involvement of recognized APT groups and the high severity rating underscore the critical nature of this threat to organizations relying on on-premises SharePoint deployments.
Potential Impact
For European organizations, the exploitation of this SharePoint vulnerability could lead to significant confidentiality breaches, unauthorized access to sensitive corporate data, and potential disruption of collaboration services. Given SharePoint's widespread use in government, financial, healthcare, and critical infrastructure sectors across Europe, successful exploitation could compromise intellectual property, personal data protected under GDPR, and operational continuity. The use of web shells and PowerShell-based payloads enables attackers to maintain persistent access, escalate privileges, and move laterally within networks, amplifying the risk of extensive data theft or sabotage. Additionally, automated collection techniques could facilitate large-scale data harvesting, impacting privacy and regulatory compliance. The lack of an available patch increases the urgency for organizations to implement compensating controls to mitigate exploitation risks. The threat actors involved have historically targeted European entities, often aligning with geopolitical interests, which heightens the risk for organizations in countries with strategic importance or active geopolitical tensions.
Mitigation Recommendations
Given the absence of an official patch, European organizations should adopt a layered defense approach. First, immediately conduct comprehensive audits of all on-premises SharePoint servers to identify exposed instances and assess their configurations. Restrict public access to SharePoint sites wherever possible, implementing network segmentation and firewall rules to limit exposure. Deploy Web Application Firewalls (WAFs) with updated signatures to detect and block exploitation attempts targeting SharePoint vulnerabilities. Monitor PowerShell execution logs and implement application whitelisting to detect anomalous or unauthorized script activity. Regularly scan for and remove unauthorized web shells by employing integrity monitoring tools and endpoint detection and response (EDR) solutions. Enhance logging and alerting for suspicious activities related to SharePoint and associated services. Employ threat intelligence feeds to stay informed about emerging exploitation techniques and indicators of compromise linked to the identified APT groups. Finally, develop and rehearse incident response plans specifically addressing SharePoint compromise scenarios to minimize impact in case of successful exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- vulnerability: CVE-2025-53770
- vulnerability: CVE-2025-49704
- vulnerability: CVE-2025-53771
- vulnerability: CVE-2025-49706
- ip: 134.199.202.205
- ip: 104.238.159.149
- ip: 188.130.206.168
- ip: 131.226.2.6
- url: c34718cbb4c6.ngrok-free.app/file.ps1
- hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49706
- vulnerability: CVE-2025-49706
- datetime: 2025-07-08T16:58:07.343000+00:00
- datetime: 2025-07-23T03:55:22.461000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
- link: https://vulnerability.circl.lu/vuln/CVE-2025-53771
- vulnerability: CVE-2025-53771
- datetime: 2025-07-20T22:16:52.203000+00:00
- datetime: 2025-07-22T21:03:27.322000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49704
- vulnerability: CVE-2025-49704
- datetime: 2025-07-08T16:58:05.908000+00:00
- datetime: 2025-07-22T21:04:05.006000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49704
- vulnerability: CVE-2025-49704
- datetime: 2025-07-08T16:58:05.908000+00:00
- datetime: 2025-07-22T21:04:05.006000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- link: https://vulnerability.circl.lu/vuln/CVE-2025-53770
- vulnerability: CVE-2025-53770
- datetime: 2025-07-20T01:06:33.607000+00:00
- datetime: 2025-07-23T03:55:21.046000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- text: \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js
- file: debug_dev.js
- text: Malicious
- file: Spinstall0.aspx
- text: Sentinel Advanced Security Information Model
- text: //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]); let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
- text: Sentinel Advanced Security Information Model
- text: //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]); let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
- text: Sentinel Advanced Security Information Model
- text: // file hash list - imFileEvent let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0]) | extend AlgorithmType = "SHA256"
- text: Microsoft Defender XDR
- text: DeviceFileEvents | where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS") | where FileName contains "spinstall" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc
- text: Microsoft Defender XDR
- text: DeviceProcessEvents | where InitiatingProcessFileName has "w3wp.exe" and InitiatingProcessCommandLine !has "DefaultAppPool" and FileName =~ "cmd.exe" and ProcessCommandLine has_all ("cmd.exe", "powershell") and ProcessCommandLine has_any ("EncodedCommand", "-ec") | extend CommandArguments = split(ProcessCommandLine, " ") | mv-expand CommandArguments to typeof(string) | where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$" | extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments))) | where B64Decode contains "spinstall", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS')
- text: Microsoft Defender XDR
- text: DeviceFileEvents | where Timestamp >ago(7d) | where InitiatingProcessFileName=~"powershell.exe" | where FileName contains "spinstall"
- text: Microsoft Defender XDR
- text: AlertEvidence | where Timestamp > ago(7d) | where Title has "SuspSignoutReq" | extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"") | summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )
- text: Microsoft Defender XDR
- text: DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771")
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
Description
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
AI-Powered Analysis
Technical Analysis
The reported security threat concerns active exploitation attempts targeting on-premises Microsoft SharePoint installations, identified under CVE-2025-53770. This vulnerability is associated with public-facing SharePoint applications, which are commonly used for enterprise collaboration and document management. The threat actors involved include advanced persistent threat (APT) groups such as APT31, Emissary Panda, and Storm-2603, known for their sophisticated cyber espionage campaigns. The attack techniques align with MITRE ATT&CK patterns including exploitation of public-facing applications (T1190), PowerShell execution (T1059.001), deployment of web shells (T1505.003), reflective code loading (T1620), and automated data collection (T1119). These techniques suggest a multi-stage attack where initial exploitation leads to remote code execution, persistence via web shells, and subsequent data exfiltration or reconnaissance activities. Despite the absence of an available patch, no known exploits have been confirmed in the wild, indicating either early detection or limited exploitation scope. The vulnerability's exploitation does not require user interaction but targets exposed SharePoint servers, which are often internet-accessible, increasing the attack surface. The technical details remain limited, but the involvement of recognized APT groups and the high severity rating underscore the critical nature of this threat to organizations relying on on-premises SharePoint deployments.
Potential Impact
For European organizations, the exploitation of this SharePoint vulnerability could lead to significant confidentiality breaches, unauthorized access to sensitive corporate data, and potential disruption of collaboration services. Given SharePoint's widespread use in government, financial, healthcare, and critical infrastructure sectors across Europe, successful exploitation could compromise intellectual property, personal data protected under GDPR, and operational continuity. The use of web shells and PowerShell-based payloads enables attackers to maintain persistent access, escalate privileges, and move laterally within networks, amplifying the risk of extensive data theft or sabotage. Additionally, automated collection techniques could facilitate large-scale data harvesting, impacting privacy and regulatory compliance. The lack of an available patch increases the urgency for organizations to implement compensating controls to mitigate exploitation risks. The threat actors involved have historically targeted European entities, often aligning with geopolitical interests, which heightens the risk for organizations in countries with strategic importance or active geopolitical tensions.
Mitigation Recommendations
Given the absence of an official patch, European organizations should adopt a layered defense approach. First, immediately conduct comprehensive audits of all on-premises SharePoint servers to identify exposed instances and assess their configurations. Restrict public access to SharePoint sites wherever possible, implementing network segmentation and firewall rules to limit exposure. Deploy Web Application Firewalls (WAFs) with updated signatures to detect and block exploitation attempts targeting SharePoint vulnerabilities. Monitor PowerShell execution logs and implement application whitelisting to detect anomalous or unauthorized script activity. Regularly scan for and remove unauthorized web shells by employing integrity monitoring tools and endpoint detection and response (EDR) solutions. Enhance logging and alerting for suspicious activities related to SharePoint and associated services. Employ threat intelligence feeds to stay informed about emerging exploitation techniques and indicators of compromise linked to the identified APT groups. Finally, develop and rehearse incident response plans specifically addressing SharePoint compromise scenarios to minimize impact in case of successful exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 59ed4725-5f2a-4844-8dc4-e6926dbcb5ce
- Original Timestamp
- 1753257959
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2025-53770 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-53771 | — | |
vulnerabilityCVE-2025-49706 | — | |
vulnerabilityCVE-2025-49706 | — | |
vulnerabilityCVE-2025-53771 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-53770 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip134.199.202.205 | IP address exploiting SharePoint vulnerabilities | |
ip104.238.159.149 | IP address exploiting SharePoint vulnerabilities | |
ip188.130.206.168 | IP address exploiting SharePoint vulnerabilities | |
ip131.226.2.6 | Post exploitation C2 |
Url
| Value | Description | Copy |
|---|---|---|
urlc34718cbb4c6.ngrok-free.app/file.ps1 | Ngrok tunnel delivering PowerShell to C2 |
Hash
| Value | Description | Copy |
|---|---|---|
hash92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | Hash of spinstall0.aspx |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49706 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-53771 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49704 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49704 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-53770 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2025-07-08T16:58:07.343000+00:00 | — | |
datetime2025-07-23T03:55:22.461000+00:00 | — | |
datetime2025-07-20T22:16:52.203000+00:00 | — | |
datetime2025-07-22T21:03:27.322000+00:00 | — | |
datetime2025-07-08T16:58:05.908000+00:00 | — | |
datetime2025-07-22T21:04:05.006000+00:00 | — | |
datetime2025-07-08T16:58:05.908000+00:00 | — | |
datetime2025-07-22T21:04:05.006000+00:00 | — | |
datetime2025-07-20T01:06:33.607000+00:00 | — | |
datetime2025-07-23T03:55:21.046000+00:00 | — |
Text
| Value | Description | Copy |
|---|---|---|
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
text\1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js | — | |
textMalicious | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor | — | |
textSentinel Advanced Security Information Model | — | |
text// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256" | — | |
textMicrosoft Defender XDR | — | |
textDeviceFileEvents
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS")
| where FileName contains "spinstall"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc | — | |
textMicrosoft Defender XDR | — | |
textDeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode contains "spinstall", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS') | — | |
textMicrosoft Defender XDR | — | |
textDeviceFileEvents
| where Timestamp >ago(7d)
| where InitiatingProcessFileName=~"powershell.exe"
| where FileName contains "spinstall" | — | |
textMicrosoft Defender XDR | — | |
textAlertEvidence
| where Timestamp > ago(7d)
| where Title has "SuspSignoutReq"
| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"")
| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) ) | — | |
textMicrosoft Defender XDR | — | |
textDeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771") | — |
File
| Value | Description | Copy |
|---|---|---|
filedebug_dev.js | File containing web config data, including MachineKey data | |
fileSpinstall0.aspx | Web shell used by threat actors Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx |
Threat ID: 6880a8adad5a09ad002321f1
Added to database: 7/23/2025, 9:17:33 AM
Last enriched: 7/23/2025, 9:32:47 AM
Last updated: 7/23/2025, 5:02:33 PM
Views: 3
Related Threats
CVE-2025-50481: n/a
HighCVE-2025-8069: CWE-276 Incorrect Default Permissions in AWS Client VPN
HighCVE-2025-2634: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input in NI LabVIEW
HighCVE-2025-2633: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input in NI LabVIEW
HighCVE-2025-6018: Incorrect Authorization
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.