• 2368 Maritime Dr Unit 250, Elk Grove, CA 95758, United States
  • Mon – Fri: 7:00AM – 7:00PM
  • contactus@bpsemail.com
Follow Us On:
Facebook-f Instagram Linkedin-in Pinterest
  • Home
  • Cyber Security
  • CISA Orders Emergency Patching After SharePoint Exploit by Nation-State Hackers
SharePoint vulnerability CVE-2025-53770

CISA Orders Emergency Patching After SharePoint Exploit by Nation-State Hackers

34 Views

A new exploit targeting Microsoft SharePoint, identified as SharePoint vulnerability CVE-2025-53770, has prompted immediate action from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability gives attackers the ability to run malicious code and gain unauthorized access to sensitive systems.

Security researchers have linked the attacks to Chinese state-backed groups. These actors are using an exploit chain known as “ToolShell,” which builds on older flaws—CVE-2025-49704 and CVE-2025-49706—that were previously patched. The attackers now bypass these defenses to take full control of compromised servers.

How the Exploit Works

The hackers inject harmful code into SharePoint components. This lets them impersonate users, install backdoors, and steal credentials. One technique involves a file named “debug.js,” which hides malicious communication behind a common filename. This method helps the attackers avoid detection and stay inside networks longer.

Microsoft’s Response

Microsoft issued out-of-band updates for several SharePoint versions: Subscription Edition, SharePoint 2019, and SharePoint 2016. However, updating is just one part of the fix. Administrators also need to rotate ASP.NET machine keys and restart IIS to block the reuse of stolen tokens.

Action Required by Agencies

CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, urging agencies to act quickly. While enabling Antimalware Scan Interface (AMSI) can help detect threats, it’s not enough on its own. Full remediation is essential to stop further intrusions.

Why This Matters

This incident highlights how threat actors continue to target collaboration platforms like SharePoint. These systems often contain important documents and user data, making them attractive targets.

Organizations should not delay. Applying the full set of fixes—patching, key rotation, and service restarts—is the best way to prevent future breaches and avoid regulatory fallout.

Leave A Comment

Your email address will not be published. Required fields are marked *