Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief

    Tuesday, July 22, 2025 In: Threat Research Print

    Date: 07/22/2025

    Severity: High

    Summary

    CVE-2025-53770 and CVE-2025-53771 impact on-premise Microsoft SharePoint Servers, enabling malicious file uploads and cryptographic key theft. These evolved from earlier flaws (CVE-2025-49704/49706), where incomplete patches left systems vulnerable to unauthenticated RCE via deserialization and ViewState abuse. Exploitation has been observed across sectors like finance, education, energy, and healthcare. Microsoft has patched Subscription Edition and Server 2019; a fix for Server 2016 is pending.

    Indicators of Compromise (IOC) List

    IP Address : 

    103.186.30.186

    104.238.159.149

    107.191.58.76

    96.9.125.147

    139.144.199.41

    89.46.223.88

    45.77.155.170

    95.179.158.42

    149.40.50.15

    154.223.19.106

    185.197.248.131

    149.40.50.15

    Hash : 

    92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

    8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2

    27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014

    b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93

    4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030

    B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70

    FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7

    390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E

    66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082

    7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("103.186.30.186","96.9.125.147","107.191.58.76","149.40.50.15","104.238.159.149","154.223.19.106","139.144.199.41","89.46.223.88","45.77.155.170","95.179.158.42","185.197.248.131","149.40.50.15") or srcipaddress IN ("103.186.30.186","96.9.125.147","107.191.58.76","149.40.50.15","104.238.159.149","154.223.19.106","139.144.199.41","89.46.223.88","45.77.155.170","95.179.158.42","185.197.248.131","149.40.50.15")

    Hash : 

    sha256hash IN ("92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514","27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014","b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93","8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2","4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030","B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70","FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7","390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E","66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082","7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95")

    Reference:

    https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/ 

    https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html


    Tags

    MalwareVulnerabilityExploitCVE-2025Microsoft SharepointHealthcare and Public HealthEnergyEducationFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.