OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
AI Analysis
Technical Summary
CVE-2025-53770 is a remote code execution (RCE) vulnerability identified in Microsoft SharePoint Server, a widely used enterprise collaboration and document management platform. This vulnerability allows an unauthenticated attacker to execute arbitrary code on vulnerable SharePoint servers remotely by exploiting weaknesses in the handling of external remote services and public-facing application components. The vulnerability is associated with MITRE ATT&CK techniques T1133 (External Remote Services) and T1190 (Exploit Public-Facing Application), indicating that attackers can leverage network-facing SharePoint services to gain unauthorized access and execute malicious payloads. The mention of the tool 'Sharpyshell' suggests that attackers might use or develop specialized tooling to facilitate exploitation and payload delivery. Currently, there is no patch available, and no confirmed exploits have been observed in the wild, but OSINT sources indicate a 50% certainty of exploitation attempts. The lack of affected versions and patch links implies that the vulnerability is either newly discovered or under active investigation. The vulnerability poses a significant risk due to SharePoint's common deployment in enterprise environments and its role in handling sensitive documents and workflows. Successful exploitation could lead to full system compromise, data theft, or disruption of business operations.
Potential Impact
For European organizations, the impact of CVE-2025-53770 could be severe. SharePoint Server is extensively used across Europe for internal collaboration, document management, and workflow automation, often containing sensitive corporate and personal data subject to GDPR regulations. A successful remote code execution attack could lead to unauthorized data access, data exfiltration, or ransomware deployment, causing operational disruption and regulatory penalties. The vulnerability's remote and unauthenticated nature increases the attack surface, especially for organizations exposing SharePoint services to the internet. This could affect critical sectors such as finance, healthcare, government, and manufacturing, where SharePoint is integral to daily operations. Additionally, the reputational damage and potential financial losses from data breaches or service outages could be substantial. The absence of a patch heightens the urgency for proactive defenses to prevent exploitation and limit lateral movement within networks.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement immediate compensating controls. These include restricting external access to SharePoint servers via network segmentation and firewall rules, allowing access only from trusted IPs or VPNs. Organizations should disable or limit external remote services and review SharePoint configurations to minimize exposed attack surfaces. Deploying Web Application Firewalls (WAFs) with rules tailored to detect and block exploitation attempts targeting SharePoint is recommended. Continuous monitoring of logs and network traffic for indicators of compromise related to Sharpyshell or unusual remote code execution attempts is critical. Organizations should also conduct vulnerability scans and penetration tests to identify exposure. Implementing strict least privilege access controls and multi-factor authentication for SharePoint administration reduces risk. Finally, maintaining up-to-date backups and incident response plans ensures preparedness for potential compromise. Collaboration with Microsoft and security communities for updates and patches is essential.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
Indicators of Compromise
- vulnerability: CVE-2025-53770
- vulnerability: CVE-2025-49704
- vulnerability: CVE-2025-53771
- vulnerability: CVE-2025-49706
- ip: 134.199.202.205
- ip: 104.238.159.149
- ip: 188.130.206.168
- ip: 131.226.2.6
- url: c34718cbb4c6.ngrok-free.app/file.ps1
- hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49706
- vulnerability: CVE-2025-49706
- datetime: 2025-07-08T16:58:07.343000+00:00
- datetime: 2025-07-23T03:55:22.461000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
- link: https://vulnerability.circl.lu/vuln/CVE-2025-53771
- vulnerability: CVE-2025-53771
- datetime: 2025-07-20T22:16:52.203000+00:00
- datetime: 2025-07-22T21:03:27.322000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49704
- vulnerability: CVE-2025-49704
- datetime: 2025-07-08T16:58:05.908000+00:00
- datetime: 2025-07-22T21:04:05.006000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- link: https://vulnerability.circl.lu/vuln/CVE-2025-49704
- vulnerability: CVE-2025-49704
- datetime: 2025-07-08T16:58:05.908000+00:00
- datetime: 2025-07-22T21:04:05.006000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- link: https://vulnerability.circl.lu/vuln/CVE-2025-53770
- vulnerability: CVE-2025-53770
- datetime: 2025-07-20T01:06:33.607000+00:00
- datetime: 2025-07-23T03:55:21.046000+00:00
- text: PUBLISHED
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- text: \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js
- file: debug_dev.js
- text: Malicious
- file: Spinstall0.aspx
- text: Sentinel Advanced Security Information Model
- text: //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]); let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
- text: Sentinel Advanced Security Information Model
- text: //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]); let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
- text: Sentinel Advanced Security Information Model
- text: // file hash list - imFileEvent let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0]) | extend AlgorithmType = "SHA256"
- text: Microsoft Defender XDR
- text: DeviceFileEvents | where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS") | where FileName contains "spinstall" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc
- text: Microsoft Defender XDR
- text: DeviceProcessEvents | where InitiatingProcessFileName has "w3wp.exe" and InitiatingProcessCommandLine !has "DefaultAppPool" and FileName =~ "cmd.exe" and ProcessCommandLine has_all ("cmd.exe", "powershell") and ProcessCommandLine has_any ("EncodedCommand", "-ec") | extend CommandArguments = split(ProcessCommandLine, " ") | mv-expand CommandArguments to typeof(string) | where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$" | extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments))) | where B64Decode contains "spinstall", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS')
- text: Microsoft Defender XDR
- text: DeviceFileEvents | where Timestamp >ago(7d) | where InitiatingProcessFileName=~"powershell.exe" | where FileName contains "spinstall"
- text: Microsoft Defender XDR
- text: AlertEvidence | where Timestamp > ago(7d) | where Title has "SuspSignoutReq" | extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"") | summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )
- text: Microsoft Defender XDR
- text: DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771")
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
Description
OSINT - Disrupting active exploitation of on-premises SharePoint vulnerabilities
AI-Powered Analysis
Technical Analysis
CVE-2025-53770 is a remote code execution (RCE) vulnerability identified in Microsoft SharePoint Server, a widely used enterprise collaboration and document management platform. This vulnerability allows an unauthenticated attacker to execute arbitrary code on vulnerable SharePoint servers remotely by exploiting weaknesses in the handling of external remote services and public-facing application components. The vulnerability is associated with MITRE ATT&CK techniques T1133 (External Remote Services) and T1190 (Exploit Public-Facing Application), indicating that attackers can leverage network-facing SharePoint services to gain unauthorized access and execute malicious payloads. The mention of the tool 'Sharpyshell' suggests that attackers might use or develop specialized tooling to facilitate exploitation and payload delivery. Currently, there is no patch available, and no confirmed exploits have been observed in the wild, but OSINT sources indicate a 50% certainty of exploitation attempts. The lack of affected versions and patch links implies that the vulnerability is either newly discovered or under active investigation. The vulnerability poses a significant risk due to SharePoint's common deployment in enterprise environments and its role in handling sensitive documents and workflows. Successful exploitation could lead to full system compromise, data theft, or disruption of business operations.
Potential Impact
For European organizations, the impact of CVE-2025-53770 could be severe. SharePoint Server is extensively used across Europe for internal collaboration, document management, and workflow automation, often containing sensitive corporate and personal data subject to GDPR regulations. A successful remote code execution attack could lead to unauthorized data access, data exfiltration, or ransomware deployment, causing operational disruption and regulatory penalties. The vulnerability's remote and unauthenticated nature increases the attack surface, especially for organizations exposing SharePoint services to the internet. This could affect critical sectors such as finance, healthcare, government, and manufacturing, where SharePoint is integral to daily operations. Additionally, the reputational damage and potential financial losses from data breaches or service outages could be substantial. The absence of a patch heightens the urgency for proactive defenses to prevent exploitation and limit lateral movement within networks.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement immediate compensating controls. These include restricting external access to SharePoint servers via network segmentation and firewall rules, allowing access only from trusted IPs or VPNs. Organizations should disable or limit external remote services and review SharePoint configurations to minimize exposed attack surfaces. Deploying Web Application Firewalls (WAFs) with rules tailored to detect and block exploitation attempts targeting SharePoint is recommended. Continuous monitoring of logs and network traffic for indicators of compromise related to Sharpyshell or unusual remote code execution attempts is critical. Organizations should also conduct vulnerability scans and penetration tests to identify exposure. Implementing strict least privilege access controls and multi-factor authentication for SharePoint administration reduces risk. Finally, maintaining up-to-date backups and incident response plans ensures preparedness for potential compromise. Collaboration with Microsoft and security communities for updates and patches is essential.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 59ed4725-5f2a-4844-8dc4-e6926dbcb5ce
- Original Timestamp
- 1753257959
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2025-53770 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-53771 | — | |
vulnerabilityCVE-2025-49706 | — | |
vulnerabilityCVE-2025-49706 | — | |
vulnerabilityCVE-2025-53771 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-49704 | — | |
vulnerabilityCVE-2025-53770 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip134.199.202.205 | IP address exploiting SharePoint vulnerabilities | |
ip104.238.159.149 | IP address exploiting SharePoint vulnerabilities | |
ip188.130.206.168 | IP address exploiting SharePoint vulnerabilities | |
ip131.226.2.6 | Post exploitation C2 |
Url
| Value | Description | Copy |
|---|---|---|
urlc34718cbb4c6.ngrok-free.app/file.ps1 | Ngrok tunnel delivering PowerShell to C2 |
Hash
| Value | Description | Copy |
|---|---|---|
hash92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | Hash of spinstall0.aspx |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49706 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-53771 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49704 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-49704 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 | — | |
linkhttps://vulnerability.circl.lu/vuln/CVE-2025-53770 | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2025-07-08T16:58:07.343000+00:00 | — | |
datetime2025-07-23T03:55:22.461000+00:00 | — | |
datetime2025-07-20T22:16:52.203000+00:00 | — | |
datetime2025-07-22T21:03:27.322000+00:00 | — | |
datetime2025-07-08T16:58:05.908000+00:00 | — | |
datetime2025-07-22T21:04:05.006000+00:00 | — | |
datetime2025-07-08T16:58:05.908000+00:00 | — | |
datetime2025-07-22T21:04:05.006000+00:00 | — | |
datetime2025-07-20T01:06:33.607000+00:00 | — | |
datetime2025-07-23T03:55:21.046000+00:00 | — |
Text
| Value | Description | Copy |
|---|---|---|
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
textPUBLISHED | — | |
text\1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js | — | |
textMalicious | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor | — | |
textSentinel Advanced Security Information Model | — | |
text// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256" | — | |
textMicrosoft Defender XDR | — | |
textDeviceFileEvents
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS")
| where FileName contains "spinstall"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc | — | |
textMicrosoft Defender XDR | — | |
textDeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode contains "spinstall", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS') | — | |
textMicrosoft Defender XDR | — | |
textDeviceFileEvents
| where Timestamp >ago(7d)
| where InitiatingProcessFileName=~"powershell.exe"
| where FileName contains "spinstall" | — | |
textMicrosoft Defender XDR | — | |
textAlertEvidence
| where Timestamp > ago(7d)
| where Title has "SuspSignoutReq"
| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"")
| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) ) | — | |
textMicrosoft Defender XDR | — | |
textDeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771") | — |
File
| Value | Description | Copy |
|---|---|---|
filedebug_dev.js | File containing web config data, including MachineKey data | |
fileSpinstall0.aspx | Web shell used by threat actors Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx |
Threat ID: 6880a8adad5a09ad002321f1
Added to database: 7/23/2025, 9:17:33 AM
Last enriched: 10/15/2025, 1:16:17 AM
Last updated: 10/18/2025, 9:12:49 AM
Views: 82
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-9890: CWE-352 Cross-Site Request Forgery (CSRF) in mndpsingh287 Theme Editor
HighCVE-2025-5555: Stack-based Buffer Overflow in Nixdorf Wincor PORT IO Driver
HighCVE-2025-11691: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in themeisle PPOM – Product Addons & Custom Fields for WooCommerce
HighCVE-2025-11517: CWE-639 Authorization Bypass Through User-Controlled Key in theeventscalendar Event Tickets and Registration
HighThreatFox IOCs for 2025-10-17
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.