Microsoft patches failed to fix on-prem SharePoint, which is now under zero-day attack
(2025/07/21)
- Reference: 1753056808
- News link: https://www.theregister.co.uk/2025/07/21/infosec_in_brief/
- Source link:
Infosec In Brief Microsoft has warned users of SharePoint Server that three on-prem versions of the product include a zero-day flaw that is under attack – and that its own failure to completely fix past problems is the cause.
In a July 19 [1]security note , the software giant admitted it is “… aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
The attack targets [2]CVE-2025-53770 , a flaw rated 9.8/10 on the CVSS scale as it means “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.”
[3]
The US Cybersecurity and Infrastructure Security Agency (CISA) [4]advises CVE-2025-53770 is a variant of [5]CVE-2025-49706 , a 6.3-rated flaw that Microsoft tried to fix in its most recent [6]patch Tuesday update.
[7]
[8]
The flaw is present in SharePoint Enterprise Server 2016. SharePoint Server 2019, and SharePoint Server Subscription Edition. At the time of writing, Microsoft has issued a patch for only the latter product.
That patch addresses a different vulnerability – the 6.3-rated path traversal flaw [9]CVE-2025-53771 which mitigates that flaw and the more dangerous CVE-2025-53770. While admins wait for more patches, Microsoft advised them to ensure the Windows Antimalware Scan Interface (AMSI) is enabled and configured correctly, alongside an appropriate antivirus tool. Redmond also wants users to watch for suspicious IIS worker processes, and rotate SharePoint Server ASP.NET machine keys.
[10]
CISA has also [11]issued its own warning. "Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025," [12]it said . "Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit."
EFF warns Ring has reversed home CCTV privacy pledge
The Electronic Frontier Foundation has warned that Amazon’s Ring security camera business will allow law enforcement agencies to access its devices.
"Not only is the company reintroducing new versions of old features which would allow police to request footage directly from Ring users, it is also introducing a new feature that would allow police to request live-stream access to people’s home security devices," [13]warned the EFF last week. "This is a bad, bad step for Ring and the broader public."
In 2024 Ring [14]promised to discontinue an option that allowed law enforcement agencies to request video footage without a warrant.
The outfit’s policy reversal appears to coincide with the return of founder Jamie Siminoff, who [15]left the biz after accepting police requests to hand over footage without a user's consent.
[16]
According to a [17]Business Insider report , Ring now plans to go all-in on AI. “. We fear that this may signal the introduction of video analytics or face recognition to an already problematic surveillance device,” the EFF wrote.
[18]'I nearly died after flying thousands of miles to install a power cord for the NSA'
[19]Google sues 25 alleged BadBox 2.0 botnet operators, all of whom are in China
[20]Meta declines to abide by voluntary EU AI safety guidelines
[21]Microsoft offers vintage Exchange and Skype server users six more months of security updates
China upgrades smartphone surveillance-ware
The Chinese government is installing malware capable of tracking GPS location data, SMS messages, images, audio, contacts and phone services on smartphones owned by some visitors to the country.
According to the latest report from security shop Lookout, Middle Kingdom security inspectors install surveillance code on handsets carried by visitors. Once present, the code gives Beijing the ability to monitor content on devices, and – if connected to PC running a companion program – extract data.
"These tools can pose a risk to enterprise organizations with executives and employees that travel abroad - especially to countries with border patrol policies that allow them to confiscate mobile devices for a short period of time upon entry," Lookout [22]warned .
"In 2024, the Ministry of State Security introduced new legislation that would allow law enforcement personnel to collect and analyze devices without a warrant."
Microsoft shuns Chinese talent
Microsoft will no longer use Chinese engineers to work on US Department of Defense computer systems, raising the question of how many Beijing-linked staff have accessed US systems.
A [23]report by the respected nonprofit investigative journalism site ProPublica last week found Redmond has employed tech support workers based in China to manage DoD systems, with very little oversight.
The report claims that Microsoft works with a contractor called “Insight Global” that hires the workers, some of whom have Chinese military backgrounds.
The Secretary of Defense Pete Hegseth [24]announced an investigation after publication of the report.
"In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services," [25]said Microsoft spokesperson Frank Shaw.
"We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed."
So that's all right then. ®
Get our [26]Tech Resources
[1] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-CVE-2025-53770/
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-CVE-2025-53770
[5] https://www.CVE.org/CVERecord?id=CVE-2025-49706
[6] https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-CVE-2025-53770
[12] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-CVE-2025-53770
[13] https://www.eff.org/deeplinks/2025/07/amazon-ring-cashes-techno-authoritarianism-and-mass-surveillance
[14] https://www.theregister.com/2024/01/25/amazon_ring_sounds_death_knell/
[15] https://www.theregister.com/2019/11/20/ring_police_spying/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://www.businessinsider.com/amazon-ring-founder-mode-jamie-siminoff-crime-fighting-roots-2025-7
[18] https://www.theregister.com/2025/07/18/on_call/
[19] https://www.theregister.com/2025/07/17/google_sues_25_unnamed_chinese/
[20] https://www.theregister.com/2025/07/18/meta_declines_eu_ai_guidelines/
[21] https://www.theregister.com/2025/07/17/microsoft_extended_security_exchange_skype_server/
[22] https://www.lookout.com/threat-intelligence/article/massistant-chinese-mobile-forensics
[23] https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers
[24] https://x.com/PeteHegseth/status/1946226166282527037?s=19
[25] https://x.com/fxshaw/status/1946299139068965008?s=46.
[26] https://whitepapers.theregister.com/
In a July 19 [1]security note , the software giant admitted it is “… aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
The attack targets [2]CVE-2025-53770 , a flaw rated 9.8/10 on the CVSS scale as it means “Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.”
[3]
The US Cybersecurity and Infrastructure Security Agency (CISA) [4]advises CVE-2025-53770 is a variant of [5]CVE-2025-49706 , a 6.3-rated flaw that Microsoft tried to fix in its most recent [6]patch Tuesday update.
[7]
[8]
The flaw is present in SharePoint Enterprise Server 2016. SharePoint Server 2019, and SharePoint Server Subscription Edition. At the time of writing, Microsoft has issued a patch for only the latter product.
That patch addresses a different vulnerability – the 6.3-rated path traversal flaw [9]CVE-2025-53771 which mitigates that flaw and the more dangerous CVE-2025-53770. While admins wait for more patches, Microsoft advised them to ensure the Windows Antimalware Scan Interface (AMSI) is enabled and configured correctly, alongside an appropriate antivirus tool. Redmond also wants users to watch for suspicious IIS worker processes, and rotate SharePoint Server ASP.NET machine keys.
[10]
CISA has also [11]issued its own warning. "Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025," [12]it said . "Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit."
EFF warns Ring has reversed home CCTV privacy pledge
The Electronic Frontier Foundation has warned that Amazon’s Ring security camera business will allow law enforcement agencies to access its devices.
"Not only is the company reintroducing new versions of old features which would allow police to request footage directly from Ring users, it is also introducing a new feature that would allow police to request live-stream access to people’s home security devices," [13]warned the EFF last week. "This is a bad, bad step for Ring and the broader public."
In 2024 Ring [14]promised to discontinue an option that allowed law enforcement agencies to request video footage without a warrant.
The outfit’s policy reversal appears to coincide with the return of founder Jamie Siminoff, who [15]left the biz after accepting police requests to hand over footage without a user's consent.
[16]
According to a [17]Business Insider report , Ring now plans to go all-in on AI. “. We fear that this may signal the introduction of video analytics or face recognition to an already problematic surveillance device,” the EFF wrote.
[18]'I nearly died after flying thousands of miles to install a power cord for the NSA'
[19]Google sues 25 alleged BadBox 2.0 botnet operators, all of whom are in China
[20]Meta declines to abide by voluntary EU AI safety guidelines
[21]Microsoft offers vintage Exchange and Skype server users six more months of security updates
China upgrades smartphone surveillance-ware
The Chinese government is installing malware capable of tracking GPS location data, SMS messages, images, audio, contacts and phone services on smartphones owned by some visitors to the country.
According to the latest report from security shop Lookout, Middle Kingdom security inspectors install surveillance code on handsets carried by visitors. Once present, the code gives Beijing the ability to monitor content on devices, and – if connected to PC running a companion program – extract data.
"These tools can pose a risk to enterprise organizations with executives and employees that travel abroad - especially to countries with border patrol policies that allow them to confiscate mobile devices for a short period of time upon entry," Lookout [22]warned .
"In 2024, the Ministry of State Security introduced new legislation that would allow law enforcement personnel to collect and analyze devices without a warrant."
Microsoft shuns Chinese talent
Microsoft will no longer use Chinese engineers to work on US Department of Defense computer systems, raising the question of how many Beijing-linked staff have accessed US systems.
A [23]report by the respected nonprofit investigative journalism site ProPublica last week found Redmond has employed tech support workers based in China to manage DoD systems, with very little oversight.
The report claims that Microsoft works with a contractor called “Insight Global” that hires the workers, some of whom have Chinese military backgrounds.
The Secretary of Defense Pete Hegseth [24]announced an investigation after publication of the report.
"In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services," [25]said Microsoft spokesperson Frank Shaw.
"We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed."
So that's all right then. ®
Get our [26]Tech Resources
[1] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-CVE-2025-53770/
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-CVE-2025-53770
[5] https://www.CVE.org/CVERecord?id=CVE-2025-49706
[6] https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-CVE-2025-53770
[12] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-CVE-2025-53770
[13] https://www.eff.org/deeplinks/2025/07/amazon-ring-cashes-techno-authoritarianism-and-mass-surveillance
[14] https://www.theregister.com/2024/01/25/amazon_ring_sounds_death_knell/
[15] https://www.theregister.com/2019/11/20/ring_police_spying/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH27V0iyJ454_g1pLi4bNgAAAUs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://www.businessinsider.com/amazon-ring-founder-mode-jamie-siminoff-crime-fighting-roots-2025-7
[18] https://www.theregister.com/2025/07/18/on_call/
[19] https://www.theregister.com/2025/07/17/google_sues_25_unnamed_chinese/
[20] https://www.theregister.com/2025/07/18/meta_declines_eu_ai_guidelines/
[21] https://www.theregister.com/2025/07/17/microsoft_extended_security_exchange_skype_server/
[22] https://www.lookout.com/threat-intelligence/article/massistant-chinese-mobile-forensics
[23] https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers
[24] https://x.com/PeteHegseth/status/1946226166282527037?s=19
[25] https://x.com/fxshaw/status/1946299139068965008?s=46.
[26] https://whitepapers.theregister.com/
Sharepoint
Tim99
Why do people use it? A genuine question.
I'm retired but work as a volunteer, assessing about a dozen organizations a year. Part of the assessment is checking documentation, some of which goes back over several years. Whenever I see SharePoint, staff often have trouble finding a random document that I ask for. The people who seem to be able to find stuff quickly apparently remember where it's stored - Others not so good. Add to that systems being served from a remote location (not in the same building, city, or State) it can take minutes to retrieve stuff. Is it just badly configured, staff not adequately trained, or the normal Microsoft cruft?
Re: Sharepoint
Yorick Hunt
"Is it just badly configured, staff not adequately trained, or the normal Microsoft cruft?"
Once upon a time, Microsoft found a piece of string and discovered that if they added some sticky tape to it, they could sell it for a profit.
Since then, tonnes of sticky tape and even more string have been added to the "product," to the point where not even their most experienced programmers (which these days means they've worked at Microsoft for all of three months) can figure out what the "product" does.
So of course, they just keep piling more on, to preserve the perceived value they've brainwashed their customers into believing.
Guy I know
Had a neighbor install a Ring camera - directly across the street and the house is up on a hill so it is basically aimed directly at his older daughter's bedroom upstairs! He set up a laser (I assume IR so it isn't something visible, I didn't ask) aimed precisely at its camera pinhole. Saw the neighbor messing with it so he turned off the laser then turned it back on the next day. Didn't see the neighbor out there anymore, he figures the guy probably assumes its camera is broken but still works as a doorbell.
I don't think what he did should even be illegal. If it is your right to point a camera directly at my house, it should be my right to point a laser at yours. If Ring cameras had shallow depth of field so they'd only focus on, you know, people at your door I don't think people would have an objection to it. But it is a pretty deep and wide field and unnecessarily high resolution for a "doorbell" camera, so it is providing far better surveillance of the house/houses across the street than your own house. I get that you should have the right to surveil your own property but you shouldn't have the right to surveil mine - and/or I should have the right to prevent that surveillance without going so far as to have a 15' fence in front of my house (not that most cities would allow that anyway)