Threat Response – Microsoft SharePoint Zero-Day Vulnerability
Dutch follows English
On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.
Description
On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.
Impact
The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.
Risk
If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
Mitigation
Follow the patching advice previously described in our TR [3].
What should you do?
If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.
If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.
If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.
What will Northwave do?
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f
[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
Disclaimer applies, see below.
Sources
[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204
Dutch follows English
On July 19 2025, Microsoft published an advisory regarding a zero-day vulnerability in its SharePoint product being actively compromised [1]. This vulnerability, tracked under CVE-2025-53770, is closely related to two earlier vulnerabilities (CVE-2025-49706 and CVE-2025-49704 [2]). It gives attackers remote code execution on on-premises internet-reachable SharePoint servers without requiring authentication. Currently, no patch is available for this vulnerability.
Description
On July 19 2025, MSRC (Microsof’s security research center) acknowledged public exploitation of a yet unknown SharePoint vulnerability. Previously on that day, security firm Eye had already published about this [2] and notified Microsoft. The vulnerability is closely related to two earlier vulnerabilities: one that lets the attacker obtain encryption keys used by SharePoint to sign session information and one that uses signed malicious session information to trigger an unsafe deserialization. The chaining of these vulnerabilities results in remote code execution on the SharePoint server.
This vulnerability impacts all on-premises SharePoint servers; SharePoint Online in Microsoft 365 is not affected.
Impact
The impact of this vulnerability is high: it allows attackers to gain remote code execution on SharePoint servers without requiring authentication or user actions.
Risk
No patch is available and active exploitation is ongoing, meaning that the risk of being attacked is high.
Mitigation
Microsoft currently has not issues a patch. As per Microsoft, the attack can be stopped by configuring AMSI integration in SharePoint and installing Defender AV on the SharePoint server(s) [1]. However, given the urgency of the situation and the fact that a patch can be expected soon, we recommend taking the SharePoint servers offline by blocking network access if you can sustain that operationally until a patch is available.
What should you do?
We recommend bringing on-premises SharePoint offline until a patch is available. Furthermore, we recommend making sure that Defender AV and Microsoft Defender for Endpoint (in case of Northwave MDR) or another EDR product are installed, to help detect and block exploitation and post-exploitation activity. Furthermore, investigate the SharePoint server(s) for successful exploitation attempts using the IoC’s provided by Eye [2] and the hunt query provided by Microsoft [1]. Keep in mind that Microsoft’s hunt query only applies for servers enrolled in Microsoft Defender for Endpoint. Alternatively, use manual methods to search for the file spinstall0.aspx, which is created on succesful exploitation (see [1]).
So, in summary:
- Disconnect on-premises SharePoint servers from the internet if possible
- Check for signs of compromise using IP addresses and creation of the file spinstall0.aspx
- Keep the servers offline until a patch is released and installed, if possible
- Make sure the servers are enrolled in your EDR, and have Defender AV with AMSI configured
What will Northwave do?
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. For Northwave MDR customers, we will perform hunting queries to detect exploitation.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
Op 19 juli 2025 publiceerde Microsoft een beveiligingsadvies over een zero-day kwetsbaarheid in hun SharePoint-product die actief wordt misbruikt [1]. Deze kwetsbaarheid, geregistreerd onder CVE-2025-53770, is nauw verwant aan twee eerdere kwetsbaarheden (CVE-2025-49706 en CVE-2025-49704 [2]). De kwetsbaarheid stelt aanvallers in staat om op afstand code uit te voeren op on-premises SharePoint-servers die vanaf het internet bereikbaar zijn, zonder dat authenticatie vereist is. Er is momenteel nog geen patch beschikbaar voor deze kwetsbaarheid.
Beschrijving
Op 19 juli 2025 bevestigde MSRC (Microsoft’s Security Research Center) dat er actief misbruik plaatsvindt van een tot dan toe onbekende kwetsbaarheid in SharePoint. Eerder die dag had beveiligingsbedrijf Eye hier al over gepubliceerd [2] en Microsoft ingelicht. De kwetsbaarheid is nauw verwant aan twee eerdere kwetsbaarheden: één waarmee een aanvaller encryptiesleutels kan verkrijgen die door SharePoint worden gebruikt om sessie-informatie te ondertekenen, en één waarmee ondertekende kwaadaardige sessie-informatie leidt tot onveilige deserialisatie. Het combineren van deze kwetsbaarheden resulteert in remote code execution op de SharePoint-server.
Deze kwetsbaarheid treft alle on-premises SharePoint-servers; SharePoint Online in Microsoft 365 is niet getroffen.
Impact
De impact van deze kwetsbaarheid is hoog: het stelt aanvallers in staat om zonder authenticatie of gebruikersinteractie op afstand code uit te voeren op SharePoint-servers.
Risico
Aangezien er nog geen patch beschikbaar is en er actief misbruik plaatsvindt, is het risico op een aanval hoog.
Mitigatie
Microsoft heeft op dit moment nog geen patch uitgebracht. Volgens Microsoft kan de aanval worden gestopt door AMSI-integratie in SharePoint te configureren en Defender AV op de SharePoint-server(s) te installeren [1]. Gezien de urgentie van de situatie en de verwachting dat er binnenkort een patch komt, raden wij echter aan om de SharePoint-servers tijdelijk offline te halen door netwerktoegang te blokkeren, mits dit operationeel haalbaar is.
Wat moet je doen?
Wij raden aan om on-premises SharePoint-servers offline te halen totdat er een patch beschikbaar is. Daarnaast adviseren wij om zeker te stellen dat Defender AV en Microsoft Defender for Endpoint (in het geval van Northwave MDR) of een ander EDR-product zijn geïnstalleerd, om exploitatie en post-exploitatie te detecteren en blokkeren. Onderzoek daarnaast of er succesvolle exploitatiepogingen zijn geweest op de SharePoint-server(s) met behulp van de IoC’s die zijn verstrekt door Eye [2] en de hunt query van Microsoft [1]. Let op: de hunt query van Microsoft is alleen toepasbaar op servers die zijn gekoppeld aan Microsoft Defender for Endpoint. Gebruik anders handmatige methoden om te zoeken naar het bestand spinstall0.aspx, dat wordt aangemaakt bij succesvolle exploitatie (zie [1]).
Samenvattend:
- Koppel on-premises SharePoint-servers los van het internet, indien mogelijk
- Controleer op indicaties van succesvolle exploitatie, zoals specifieke IP-adressen en aanmaak van het bestand spinstall0.aspx
- Houd servers offline totdat een patch is uitgebracht én geïnstalleerd, indien mogelijk
- Zorg dat servers zijn gekoppeld aan uw EDR-oplossing en dat Defender AV met AMSI is geconfigureerd
Wat doet Northwave?
Klanten van Vulnerability Management worden geïnformeerd als er kwetsbare systemen worden aangetroffen binnen hun infrastructuur. Voor Northwave MDR-klanten zullen wij hunting queries uitvoeren om exploitatie te detecteren.
Wij volgen de ontwikkelingen rondom deze kwetsbaarheid op de voet. Als er nieuwe kritieke informatie beschikbaar komt, nemen wij contact met je op. Je kunt ons ook bellen of mailen als je aanvullende informatie wenst.
E-mail: soc@northwave-cybersecurity.com
Heeft u nu een incident? Bel ons Incident Response Team: 00800 1744 0000
Disclaimer is van toepassing, zie onder.
Bronnen