Explainer: What You Need to Know About the Microsoft SharePoint Zero-Day Breach

What happened?
Critical vulnerabilities in Microsoft SharePoint were discovered by Vietnamese firm Viettel Cyber Security (VCS), which were later confirmed to be exploited in real-world attacks.

Who discovered the flaws?
The vulnerabilities were uncovered by VCS researcher Dinh Ho Anh Khoa during the Pwn2Own Berlin 2025 hacking competition on May 16.

What were the vulnerabilities?
Two key flaws, now tracked as CVE-2025-49704 and CVE-2025-49706, allowed attackers to bypass authentication, upload webshells, and execute remote code on unpatched SharePoint servers.

How serious is it?
If exploited, the vulnerabilities can let hackers maintain persistent access even after patches, especially if they extract the system’s ValidationKey and DecryptionKey.

When did Microsoft respond?
Microsoft released patches for the vulnerabilities on July 8, 2025, as part of its Patch Tuesday update.

Were the patches enough?
Not entirely. By July 19, Microsoft confirmed that new, related vulnerabilities (CVE-2025-53770 and CVE-2025-53771) were actively being exploited against on-premises SharePoint servers.

What’s under attack?
Only on-premises SharePoint servers are affected. SharePoint Online (part of Microsoft 365) is not vulnerable.

What has Viettel Cyber Security done?
VCS issued early warnings, released detection tools and hunting guidelines, and continues to support organizations in mitigating the threat.

What should organizations do now?
For supported versions (SharePoint 2016, 2019, and Subscription Edition), admins should:

  • Apply the July 2025 security patches.
  • Rotate machine keys and restart IIS.
  • Enable Antimalware Scan Interface (AMSI).
  • Block internet access to SharePoint servers.
  • Deploy web application firewalls or reverse proxies.

What about older SharePoint versions?
Organizations still using unsupported versions like SharePoint 2010 or 2013 should:

  • Isolate the systems from the internet.
  • Block all traffic to /ToolPane.aspx.
  • Monitor file and log changes.
  • Plan a migration to supported platforms.

Has VCS done this before?
Yes. Viettel Cyber Security has previously reported high-risk vulnerabilities in products from global tech firms such as Microsoft, Oracle, Nvidia, Canon, and QNAP.

What are experts saying?
Security professionals emphasize the need for layered defenses and proactive patching. The Zero Day Initiative recognized VCS for its responsible disclosure and impact at Pwn2Own Berlin 2025.

Why does it matter?
With attackers already exploiting the vulnerabilities in the wild, organizations that delay mitigation remain at high risk for data breaches and system compromises.

What’s next?
VCS encourages security teams to use endpoint detection, intrusion prevention systems, and continuous log analysis. Technical resources, including a detailed blog from Khoa, have been made publicly available to assist defenders.

Bottom line:
This SharePoint exploit highlights the growing need for organizations to stay vigilant, patch quickly, and collaborate with security researchers to defend against escalating cyber threats.

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from TBC News

Subscribe now to keep reading and get access to the full archive.

Continue reading