分析报告
MAR-251132.c1.v1 关于SharePoint漏洞的利用
发布日期 2025年8月6日
警报代码 AR25-218A
通知
本报告“按现状”提供,仅用于提供信息。美国国土安全部(DHS)不对本文中包含的任何信息提供任何形式的保证。DHS不认可本公告中或其它地方引用的任何商业产品或服务。
本文档标记为TLP:CLEAR——接收方可不受限制地共享此信息。根据适用于公开发布的规则和程序,当信息带有最小或无可预见的误用风险时,来源方可以使用TLP:CLEAR。遵循标准版权规则,TLP:CLEAR信息可不受限制地共享。有关交通灯协议(TLP)的更多信息,请参阅 http://www.cisa.gov/tlp。
摘要
描述
CISA收到了六个与Microsoft SharePoint漏洞相关的文件:CVE-2025-49704 [CWE-94:代码注入]、CVE-2025-49706 [CWE-287:身份验证不当]、CVE-2025-53770 [CWE-502:受信任数据反序列化]和CVE-2025-53771 [CWE-287:身份验证不当]。据微软称,网络威胁行为者已将CVE-2025-49706(一种网络欺骗漏洞)和CVE-2025-49704(一种远程代码执行(RCE)漏洞)串联在名为“ToolShell”的漏洞利用链中,以获取对本地SharePoint服务器的未授权访问。微软尚未确认CVE-2025-53771的利用情况;但是,CISA评估认为利用很可能发生,因为它可以与CVE-2025-53770串联以绕过先前披露的漏洞CVE-2025-49704和CVE-2025-49706。
该分析包括两个Base64编码的.NET动态链接库(DLL)二进制文件和四个活动服务器页面扩展[ASPX]文件。解码后的DLL旨在检索ASP[.]NET应用程序配置中的计算机密钥设置,并将检索到的计算机密钥值添加到超文本传输协议(HTTP)响应头中。
第一个ASPX文件用于从ASP[.]NET应用程序的配置中检索并输出计算机密钥信息。下一个ASPX文件包含用于执行PowerShell命令的命令行指令。该PowerShell命令旨在对恶意的ASPX网页后门进行Base64解码并安装到磁盘上。该网页后门用于处理各种与Web相关的操作,包括设置和检索HTTP cookie、执行命令和上传文件。剩余的两个ASPX网页后门用于在服务器上使用PowerShell执行命令。
CISA鼓励组织使用此恶意软件分析报告中的危害指标(IOC)和检测签名来识别恶意软件样本。有关这些CVE的更多信息,请参阅CISA警报《Microsoft发布关于SharePoint漏洞利用的指南》。
下载本报告的PDF版本:
MAR-251132.c1.v1 (PDF, 2.03 MB)
下载与此MAR相关的IOC:
MAR-251132.c1.v1.CLEAR_stix2 (JSON, 84.95 KB)
下载与此MAR相关的SIGMA规则,提供.pdf或.yaml格式版本:
CMA_SIGMA_251132_CVE_2025_53770_ToolShell_IOCs (PDF, 42.50 KB)
CMA SIGMA 251132 (YAML, 5.55 KB)
CMA_SIGMA_251132_1_CVE_2025_53770_ToolShell (PDF, 41.03 KB)
CMA SIGMA 251132 1 (YAML, 4.22 KB)
CMA_SIGMA_251132_2_CVE_2025_53770_ToolShell (PDF, 39.79 KB)
CMA SIGMA 251132 2 (YAML, 2.86 KB)
已提交文件(6个)
- 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 (osvmhdfl.dll)
- 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 (stage3.txt)
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
- 9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 (info3.aspx)
- d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170 (spinstallp.aspx)
- d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00 (spinstallb.aspx)
附加文件(2个)
- 675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc (info3.aspx)
- bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 (bjcloiyq.dll)
发现结果
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7
详情
- 名称 stage3.txt
- 大小 15893 字节
- 类型 ASCII 文本,行长非常长
- MD5 921ac86b258fa9ea3da4c39462bad782
- SHA1 b8662c8cc9e383b4a0ac980e0fd94941fe12c31d
- SHA256 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7
- SHA512 6fd128a33e432d8fd5ea5dcf419a0b90f09648d7b4b95ceb6a5634fc01d8e0613d6d231bc038e2796f6a4d8fc277ebbea7b90ab773c0020dd2ad67149e52e4ff
- ssdeep 384:AQG6NVJiZbXhKth3s0bA2rhvhundOXz5D:AQG6NVJmbX0h3zs21vsndO
- 熵 4.902435
- 反病毒 未发现匹配。
YARA规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
rule CISA_251132_01 : steals_authentication_credentials exfiltrates_data{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects Encoded .Net DLL samples"
sha256_1 = "60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7"
strings:
$s0 = { 4E 62 32 52 6C 41 46 4E 30 63 6D 6C 75 5A 77 42 44 62 32 35 6A 59 58 51 }
$s1 = { 41 45 41 55 77 42 30 41 48 49 41 61 51 42 75 41 47 63 41 52 67 42 70 41 }
$s2 = { 59 58 52 76 63 6D 41 79 57 31 74 54 65 58 4E 30 5A 57 30 75 51 6E 6C 30 }
$s3 = { 4A 7A 61 57 39 75 50 54 51 75 4D 43 34 77 4C 6A 41 73 49 45 4E 31 62 48 }
$s4 = { 43 42 57 5A 58 4A 7A 61 57 39 75 50 54 51 75 4D 43 34 77 4C 6A 41 73 49 }
$s5 = { 4D 54 6B 7A 4E 47 55 77 4F 44 6C 64 58 53 42 48 5A 58 52 46 62 6E 56 74 }
$s6 = { 5A 58 4A 68 64 47 39 79 4B 43 6B 49 41 41 41 41 43 67 46 }
$s7 = { 54 65 58 4E 30 5A 57 30 75 52 6E 56 75 59 32 41 79 57 31 }
$s8 = { 74 54 65 58 4E 30 5A 57 30 75 51 32 39 73 62 47 56 6A 64 47 6C 76 62 6E 4D 75 52 }
condition:
all of them
}
|
SIGMA规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
title: Detects ToolShell CVE-2025-53770 Exploitation IOCs and Activity
incident: 251133.r1
tlp: CLEAR
id: aba8967f-6613-47a8-87d1-e5d7aae31e9b
status: test
description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Previous related CVEs are CVE-2025-49706 and CVE-2025-49704. CVE-2025-53770 is new and stealthy webshell called SharpyShell, that extracts and leaks cryptographic secrets from the SharePoint server using a simple GET request.
references:
- https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
- https://research.eye.security/sharepoint-under-siege/
- https://x.com/codewhitesec/status/1944743478350557232/photo/1
- 251132.r1
author: CISA Code & Media Analysis
date: 2025-07-21
modified: 2025-07-22
tags:
- cve.2025.53770
logsource:
product: cma
detection:
keywords:
- '92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514'
- '107.191.58.76'
- '104.238.159.149'
- '96.9.125.147'
- 'Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 /_layouts/SignOut.aspx'
- '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'TEMPLATE\LAYOUTS\spinstall0.aspx'
- '/_layouts/15/ToolPane.aspx DisplayMode=Edit'
- '/_layouts/15/spinstall0.aspx'
- 'spinstall'
- 'yoserial'
keywords_1:
- 'POST'
- 'GET'
keywords_2:
- '/_layouts/15/ToolPane.aspx'
keywords_3:
- 'DisplayMode=Edit'
keywords_4:
- 'POST'
- 'GET'
- 'curl'
keywords_5:
- '/_layouts/'
- 'layouts'
keywords_6:
- 'ToolPane.aspx'
- 'SignOut.aspx'
- 'spinstall'
- 'info3.aspx'
keywords_7:
- 'HTTP'
keywords_8:
- 'X-TXT-NET'
keywords_9:
- '.exe'
keywords_10:
- '-ap'
keywords_11:
- 'SharePoint'
keywords_12:
- '8080'
keywords_13:
- '.dll'
keywords_14:
- 'pipe'
keywords_15:
- 'inetpub'
keywords_16:
- 'config'
keywords_17:
- 'ysoserial'
keywords_18:
- 'ViewState'
keywords_19:
- 'TypeConfuseDelegate'
keywords_20:
- 'powershell'
keywords_21:
- '-EncodedCommand'
keywords_22:
- 'BiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'base64String='
keywords_23:
- 'BkAGUAYwBvAGQAZQBk'
- 'decoded'
keywords_24:
- 'BGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBn'
- 'FromBase64String'
keywords_25:
- 'cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHg'
- 'LuAGEAcwBwAHg'
- 'spinstall0.aspx'
- '.aspx'
keywords_26:
- 'V3JpdGUoY2cuVm'
keywords_27:
- 'bisifCIrY2cuRG'
keywords_28:
- 'mFsaW'
condition: keywords or keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 or keywords_9 and keywords_10 and keywords_11 and keywords_12 and keywords_13 and keywords_14 and keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19 and keywords_20 and keywords_21 or keywords_22 and keywords_23 and keywords_24 and keywords_25 or keywords_26 and keywords_27 and keywords_28
falsepositives:
- Rate of FP moderate with some strings.
- Use this rule in an infected environment/logs.
- Analyst may need to make adjustments to the query as required.
level: critical
|
- ssdeep匹配 未发现匹配。
- 关系
- 60a37499f9… 包含 bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72
- 描述 该工件是一个包含Base64编码的.NET DLL“bjcloiyq.dll”(bee94b93c1…)的数据文件。
- 屏幕截图
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72
详情
- 名称 bjcloiyq.dll
- 大小 10813 字节
- 类型 PE32可执行文件(DLL)(控制台)Intel 80386 Mono/.Net程序集,用于MS Windows
- MD5 0e36ecda6fc4b5661f9a181984a53bb5
- SHA1 3a438b239d8451b8e12e9cdd3c24d1240dd758c9
- SHA256 bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72
- SHA512 033f215fde36025a7ce434daddb70304d1e56f2dd2600e18a44d0af825a348fda388ee8fb1d684c2cdd006cdf042005bb26ab67cdf6c5eaac331650ea0ab9422
- ssdeep 192:fJhh81DzgDZnSxPKgL6YBAxmrFMxmrFARmrF9RmrFj4U0QiKpM9aMg3AxmrFaxmi:xhh81Dz4pSxPKg2YBAxeFMxeFAReF9RL
- 熵 4.986214
- 反病毒 未发现匹配。
YARA规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
rule CISA_251132_02 : steals_authentication_credentials exfiltrates_data{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects .Net DLL payload samples"
sha256_1 = "bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72"
strings:
$s0 = { 62 6A 63 6C 6F 69 79 71 2E 64 6C 6C }
$s1 = { 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E 00 54 79 70 65 }
$s2 = { 67 65 74 5F 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 }
$s3 = { 67 65 74 5F 43 75 72 72 65 6E 74 00 48 74 74 70 52 65 73 70 6F 6E 73 65 }
$s4 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 }
$s5 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E }
$s6 = { 53 79 73 74 65 6D 2E 57 65 62 2E 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E }
condition:
all of them
}
|
SIGMA规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
title: Detects CVE-2025-53770 IOCs and Activity Based on Submitted Files 251132.r2
incident: 251133.r2
tlp: CLEAR
id: a9327942-4cf7-48e4-9ea4-ad0b54db4bf7
status: test
description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Detects IOCs and Activity Based on Submitted Files 251132.r2.
references:
- 251132.r2
author: CISA Code & Media Analysis
date: 2025-07-23
modified: 2025-07-23
tags:
- cve.2025.53770
logsource:
product: cma
detection:
keywords_1:
- 'CVAUGFnZSBMYW5ndWFnZT0i'
- '%@Page Language="'
keywords_2:
- 'Jwb3dlcnNoZWxsLmV4ZS'
- 'powershell.exe'
keywords_3:
- 'ItZW5j'
- '-enc'
- 'LUVuY29kZWRDb21tYW5k'
- '-EncodedCommand'
keywords_4:
- '0Jhc2U2NFN0cmluZw'
- 'Base64String'
keywords_5:
- 'FJlcXVlc3QuRm9ybV'
- 'Request.Form'
keywords_6:
- 'sicCJ'
- '"p"'
keywords_7:
- '*.exe'
keywords_8:
- 'powershell*'
keywords_9:
- '-Command'
keywords_10:
- 'Get-ChildItem'
- 'ForEach-Object'
keywords_11:
- '*\TEMPLATE\LAYOUTS\*'
keywords_12:
- '*.exe'
keywords_13:
- 'certutil*'
keywords_14:
- '-decode'
keywords_15:
- 'c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\owa\resources\*'
- 'c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\*'
- '\template\layouts\*'
- '\template\layouts\owa\*'
keywords_16:
- '*.aspx'
- '*.txt'
keywords_17:
- '*\TEMPLATE\LAYOUTS\*'
keywords_18:
- 'spinstall*'
keywords_19:
- '*.aspx'
condition: keywords_1 and keywords_2 and keywords_3 and keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 and keywords_9 and keywords_10 and keywords_11 or keywords_12 and keywords_13 and keywords_14 or keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19
falsepositives:
- Rate of FP low-moderate with some strings.
- Use this rule in an infected environment/logs.
- Analyst may need to make adjustments to the query as required.
level: critical
|
- ssdeep匹配 未发现匹配。
- PE元数据
- 编译日期 2025-07-18 03:25:36+00:00
- 导入哈希 dae02f32a21e03ce65412f6e56942daa
- 文件描述 无
- 内部名称 bjcloiyq.dll
- 合法版权 无
- 原始文件名 bjcloiyq.dll
- 产品版本 0.0.0.0
- PE节区
- MD5 93185bd1019bd277eef9815a17f1d074
- 名称 header
- 原始大小 512
- 熵 2.540889
- MD5 f7cb6b7293c5082045ba423cab20a758
- 名称 .text
- 原始大小 2048
- 熵 4.519674
- MD5 b73c90a61195ef7457efab9d898490d9
- 名称 .rsrc
- 原始大小 1024
- 熵 2.172802
- MD5 039675253cb6c73f5458348295ff2f28
- 名称 .reloc
- 原始大小 512
- 熵 0.081539
- 打包器/编译器/加密器
- Microsoft Visual C# / Basic .NET
- 关系
- bee94b93c1… 包含于 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7
- 描述 该工件是一个64位.NET DLL,包含一个名为“E”的类(图2),用于提取和连接ASP[.]NET应用程序配置中的计算机密钥配置设置。该文件使用反射访问“System.Web”程序集中的“MachineKeySection”,其中包含用于ASP[.]NET中验证和解密的加密密钥。该文件使用反射来获取和调用“MachineKeySection”类的“GetApplicationConfig”方法以检索包含实际密钥值的“machineKey”配置。该文件构建一个包含“machineKeySection”的“ValidationKey”、“Validation”、“DecryptionKey”、“Decryption”和“CompatibilityMode”属性的字符串,并将其作为名为“X-TXT-NET”的自定义头添加到HTTP响应中。
- 屏幕截图
- 图2 - 反编译的.NET程序集屏幕截图,其中包含用于提取计算机密钥配置的名为“E”的类。
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997
详情
- 名称 osvmhdfl.dll
- 大小 13373 字节
- 类型 PE32可执行文件(DLL)(控制台)Intel 80386 Mono/.Net程序集,用于MS Windows
- MD5 40e609840ef3f7fea94d53998ec9f97f
- SHA1 141af6bcefdcf6b627425b5b2e02342c081e8d36
- SHA256 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997
- SHA512 deaed6b7657cc17261ae72ebc0459f8a558baf7b724df04d8821c7a5355e037a05c991433e48d36a5967ae002459358678873240e252cdea4dcbcd89218ce5c2
- ssdeep 384:cMQLQ5VU1DcZugg2YBAxeFMxeFAReF9ReFj4U0QiKy8Mg3AxeFaxeFAReFLxTYma:ElHh1gtX10u5A
- 熵 4.966672
- 反病毒 未发现匹配。
YARA规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
rule CISA_251132_08 : steals_authentication_credentials exfiltrates_data{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250725_712"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects .Net DLL payload samples"
sha256_1 = "3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997"
strings:
$s0 = { 47 65 74 4C 6F 67 69 63 61 6C 44 72 69 76 65 73 }
$s1 = { 67 65 74 5F 4D 61 63 68 69 6E 65 4E 61 6D 65 }
$s2 = { 67 65 74 5F 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 }
$s3 = { 67 65 74 5F 43 75 72 72 65 6E 74 44 69 72 65 63 74 6F 72 79 }
$s4 = { 67 65 74 5F 50 72 6F 63 65 73 73 6F 72 43 6F 75 6E 74 }
$s5 = { 67 65 74 5F 55 73 65 72 4E 61 6D 65 }
$s6 = { 67 65 74 5F 4F 53 56 65 72 73 69 6F 6E }
$s7 = { 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61 62 6C 65 73 }
$s8 = { 53 79 73 74 65 6D 2E 57 65 62 2E 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E }
$s9 = { 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E }
$s10 = { 67 65 74 5F 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 }
$s11 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 }
$s12 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E }
$s13 = { 67 65 74 5F 43 6F 6D 70 61 74 69 62 69 6C 69 74 79 4D 6F 64 65 }
condition:
all of them
}
|
SIGMA规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
title: Detects CVE-2025-53770 CVE-2025-53771 Updated IOCs and Activity
incident: 251133.r2
tlp: CLEAR
id: 32bba1a1-3900-4cf9-b379-3e71a63998a3
status: test
description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Detects updated IOCs and Activity. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. TA - Linen Typhoon, Violet Typhoon, Storm-2603.
references:
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/?msockid=3e14885e8c2b643323129d998d366597
- https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://github.com/kaizensecurity/CVE-2025-53770/blob/master/payload
- https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
- https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
author: CISA Code & Media Analysis
date: 2025-07-23
modified: 2025-07-23
tags:
- cve.2025.49704
- cve.2025.49706
- cve.2025.53770
- cve.2025.53771
logsource:
product: cma
detection:
keywords:
- '92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514'
- '4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030'
- 'b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70'
- 'fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7'
- '390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e'
- '66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082'
- '7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95'
- '8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2'
- '30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27'
- 'b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93'
- '107.191.58.76'
- '104.238.159.149'
- '96.9.125.147
|