CISA released a malware analysis report detailing ToolShell attacks on specific Microsoft SharePoint Server versions. Cyber threat actors exploited CVE-2025-49704 and CVE-2025-49706, gaining access to on-premises SharePoint servers. CISA analyzed multiple files including DLLs and web shells that could be used to steal cryptographic keys and exfiltrate data. The significant vulnerability, CVE-2025-53770, was a critical issue allowing remote code execution, exploited by various threat groups and affecting over 400 victims, including the US Department of Energy.
CISA analysed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.
The key vulnerability in SharePoint Server, the 'critical'-rated CVE-2025-53770 with a CVSS score of 9.8, built upon the earlier 'medium' severity CVE-2025-49706 - a flaw Microsoft thought it had patched last month, only to find it under active exploitation as a zero-day targeting some big names.
Collection
[
|
...
]