https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253665#M42598 <DIV id="tinyMceEditor_7348005ac49942Lesley_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>IPS protection released yesterday. Make sure traffic is inspected with IPS and that HTTPS decryption is done</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sharepoint.jpg" style="width: 858px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30997i96FEE7D6BC38E462/image-dimensions/858x228?v=v2" width="858" height="228" role="button" title="sharepoint.jpg" alt="sharepoint.jpg" /></span></P> <P> </P> Tue, 22 Jul 2025 09:49:39 GMT Lesley 2025-07-22T09:49:39Z https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253601#M42580 <H3>Attention all security professionals!</H3> <P>A critical zero-day SharePoint remote code execution (RCE) vulnerability, tracked as CVE-2025-53770 and nicknamed “ToolShell,” is currently under active exploitation. This vulnerability affects on-premise Microsoft SharePoint servers, allowing unauthenticated attackers to gain full access and execute arbitrary code remotely. Despite&nbsp;<A href="https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/" target="_blank" rel="noopener">public guidance from Microsoft</A>&nbsp;and an alert from&nbsp;<A href="https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770" target="_blank" rel="noopener">CISA</A>, a full security patch is not yet available.</P> <H3>Key findings:</H3> <UL> <LI>A critical zero-day vulnerability (CVE-2025-53770 ) in SharePoint on-prem is actively being exploited in the wild.</LI> <LI>Dubbed “ToolShell,” the campaign enables unauthorized access to on-prem SharePoint servers, posing a&nbsp;serious risk to corporate environments</LI> <LI>Check Point Research identified the first signs of the exploitation on July 7th.</LI> <LI>Since then, we’ve confirmed dozens of compromise attempts across government, telecommunications, and software sectors in North America and Western Europe.</LI> <LI>Alarmingly, we see that the attackers also leverage known Ivanti Endpoint vulnerabilities throughout the campaign.</LI> </UL> <H3>What did Check Point Research find?</H3> <P>Check Point Research found that the first exploitation attempts were observed on July 7th. The target of the attack is a major Western government. The attacks only intensified on July 18th and 19th, using infrastructure tied to the following IP addresses:</P> <UL> <LI>104.238.159.149</LI> <LI>107.191.58.76</LI> <LI>96.9.125.147</LI> </UL> <P>One of these IPs was also associated with exploitation attempts against a related Ivanti EPMM vulnerability chain (CVE-2025-4427 and CVE-2025-4428).</P> <P>The attack vector involves a custom webshell that parses parameters from VIEWSTATE payloads, enabling insecure deserialization attacks. Targeted sectors include:</P> <UL> <LI>Government</LI> <LI>Software</LI> <LI>Telecommunications</LI> </UL> <P><A href="https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/" target="_self">More details are in the company blog post for the matter</A></P> Mon, 21 Jul 2025 17:07:14 GMT https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253601#M42580 _Val_ 2025-07-21T17:07:14Z https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253612#M42582 <P>Great job btw...I see shows was released and updated July 20th.</P> <P>Andy</P> Mon, 21 Jul 2025 18:22:21 GMT https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253612#M42582 the_rock 2025-07-21T18:22:21Z https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253665#M42598 <DIV id="tinyMceEditor_7348005ac49942Lesley_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>IPS protection released yesterday. Make sure traffic is inspected with IPS and that HTTPS decryption is done</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sharepoint.jpg" style="width: 858px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30997i96FEE7D6BC38E462/image-dimensions/858x228?v=v2" width="858" height="228" role="button" title="sharepoint.jpg" alt="sharepoint.jpg" /></span></P> <P> </P> Tue, 22 Jul 2025 09:49:39 GMT https://community.checkpoint.com/t5/General-Topics/SharePoint-Zero-Day-CVE-2025-53770-Actively-Exploited-Take/m-p/253665#M42598 Lesley 2025-07-22T09:49:39Z