微软发现SharePoint存在严重漏洞CVE-2025-53700,可被用于远程代码执行。目前无补丁可用,建议使用Microsoft Defender检测攻击,并配置AMSI集成以增强防护能力。攻击者通过设置特定Referer头触发漏洞。已有两起相关工具栏.aspx访问记录被观察到。 2025-7-20 17:32:7 Author: isc.sans.edu(查看原文) 阅读量:34 收藏
Microsoft announced yesterday that a newly discovered critical remote code execution vulnerability in SharePoint is being exploited. There is no patch available. As a workaround, Microsoft suggests using Microsoft Defender to detect any attacks. To use Defender, you must first configure the AMSI integration to give Defender visibility into SharePoint. Recent versions of SharePoint have the AMSI integration enabled by default.
Microsoft also states: "If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available."
Defender will just detect the post-exploit activity. Currently, webshells are observed as a payload being deployed, taking advantage of the vulnerability.
The best write-up and details I found so far come from the Eye Security research team. They initially used CVE-2025-49704 and CVE-2025-49706 to identify the vulnerability. Later, Microsoft confirmed that this is a new issue and started using CVE-2025-53700. This latest issue appears to be a variation of the older vulnerabilities patched in this month's Patch Tuesday.
The vulnerability exploits an authentication bypass issue triggered by setting the "Referer" header to "/_layouts/SignOut.aspx". This vulnerability is then exploited to trigger remote code execution via "/_layouts/15/ToolPane.aspx".
In our honeypot data, we observed two instances of the "ToolPane.aspx" URL, first on July 16th (on individual hit, I am waiting to hear from the submitter to see if there are details available). Today, we received additional reports, but they originated from p55001.probes.atlas.ripe.net:9000 and are likely related to scanning for research purposes. These hits did not include the Referer header to trigger the vulnerabiliy.
The hit on July 16th originated from 172.174.82.132. This IP address appears to be owned by Microsoft.
Microsoft Advisory:
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
Eye Security Blog:
https://research.eye.security/sharepoint-under-siege/
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh