Threat Response – Microsoft SharePoint Zero-Day Vulnerability - Update
Dutch follows English
On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.
Description
On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.
Impact
The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.
Risk
If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
Mitigation
Follow the patching advice previously described in our TR [3].
What should you do?
If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.
If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.
If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.
What will Northwave do?
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f
[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
Disclaimer applies, see below.
Sources
[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204
This is an update to our Threat Response sent on the 20th of July regarding a zero-day vulnerability (CVE-2025-53770) in Microsoft SharePoint.
In addition to our previous Threat Response, we want to bring your attention to a number of developments.
CVE-2025-53771
In addition to CVE-2025-53770 communicated yesterday, Microsoft has also released information on a new SharePoint vulnerability, tracked under CVE-2025-53771 [1], which could allow an unauthorized attacker to perform spoofing over the network. This vulnerability is closely related to a previous vulnerability (CVE-2025-49706 [2]). This new vulnerability affects Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition.
Release of security updates
Microsoft has released security updates for Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition [3] to mitigate CVE-2025-53770 as well as CVE-2025-53771.
We recommend installing the security updates immediately. In addition to installing the update, we also recommend you to closely follow the steps provided by Microsoft in [3], which includes a rotation of the SharePoint Server ASP.NET machine keys.
The security updates for the products can be found here:
- Microsoft SharePoint Server Subscription Edition: https://www.microsoft.com/en-
us/download/details.aspx?id= 108285 - Microsoft SharePoint Server 2019: https://www.microsoft.com/en-
us/download/details.aspx?id= 108286
As security updates for Microsoft SharePoint Server 2016 are not yet available at the time of writing, our recommendation remains the same as communicated in the previous Threat Response:
- Disconnect on-premises SharePoint servers from the internet if possible
- Check for signs of compromise using IP addresses and creation of the file
spinstall0.aspx(see [4]) - Keep the servers offline until an update is released and installed, if possible
- Make sure the servers are enrolled in your EDR, and have Defender AV with AMSI configured
If you have an indication that your system may be compromised, please call our CERT on the following number: 00800 1744 0000.
What will Northwave do?
Based on available threat intelligence we have developed multiple detection rules for MDR customers using ESET and MDE. Those customers will be actively informed of signs of exploitation.
We will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave-cybersecurity.
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://msrc.microsoft.com/
[2]: https://research.eye.security/
Dit is een update op onze Threat Response van 20 juli over een kritieke zero-day kwetsbaarheid (CVE-2025-53770) in Microsoft SharePoint.
Naast onze eerdere Threat Response willen we uw aandacht vestigen op een aantal nieuwe ontwikkelingen rond deze kwetsbaarheid.
CVE-2025-53771
Microsoft heeft naast CVE-2025-53770 informatie uitgebracht over een nieuwe kwetsbaarheid in SharePoint met kenmerk CVE-2025-53771 [1], welke het mogelijk maakt voor een ongeauthenticeerde gebruiker om spoofing uit te voeren over het netwerk. Deze kwetsbaarheid is nauw verband aan een eerdere kwetsbaarheid (CVE-2025-49706 [2]). Deze nieuwe kwetsbaarheid is aanwezig in Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2019 en Microsoft SharePoint Server Subscription Edition.
Uitgave van security updates
Microsoft heeft security updates vrijgegeven voor Microsoft SharePoint Server 2019 en Microsoft SharePoint Server Subscription Edition [3] om zowel CVE-2025-53770 als CVE-2025-53771 te verhelpen.
Wij raden aan om deze security updates onmiddelijk toe te passen. Naast het toepassen van de security updates raden wij ook aan om de stappen van Microsoft te volgen zoals beschreven in [3], welke ook stappen bevat voor het uitwisselen van SharePoint Server ASP.NET machinesleutels.
De security updates voor de SharePoint producten kunnen gevonden worden via onderstaande links:
- Microsoft SharePoint Server Subscription Edition: https://www.microsoft.com/en-
us/download/details.aspx?id= 108285 - Microsoft SharePoint Server 2019: https://www.microsoft.com/en-
us/download/details.aspx?id= 108286
Omdat security updates voor Microsoft SharePoint Server 2016 nog niet beschikbaar zijn op het moment van schrijven, blijft ons advies hetzelfde als gecommuniceerd in de vorige Threat Response:
- Koppel on-premises SharePoint-servers los van het internet, indien mogelijk
- Controleer op indicaties van succesvolle exploitatie, zoals specifieke IP-adressen en aanmaak van het bestand
spinstall0.aspx(zie [4]) - Houd servers offline totdat een patch is uitgebracht én geïnstalleerd, indien mogelijk
- Zorg dat servers zijn gekoppeld aan uw EDR-oplossing en dat Defender AV met AMSI is geconfigureerd
Als u een indicatie heeft dat uw systeem mogelijk is gehackt, bel dan ons CERT op het nummer: 00800 1744 0000
Wat doet Northwave?
Op basis van beschikbare threat intelligence hebben wij meerdere detectieregels voor MDR klanten op basis van ESET en Microsoft Defender for Endpoint ontwikkeld. Klanten met deze producten zullen worden geïnformeerd bij tekenen van exploitatie.
Wij houden de ontwikkelingen omtrent deze kwetsbaarheden in de gaten. Als er nieuwe kritieke informatie beschikbaar komt, nemen wij contact met je op. Je kunt ons ook bellen of mailen als je aanvullende informatie wenst.
E-mail: soc@northwave-cybersecurity.
Heeft u nu een incident? Bel ons Incident Response Team: 00800 1744 0000
Disclaimer is van toepassing, zie onder.
Bronnen
[1]: https://msrc.microsoft.com/