Post-Mortem Analysis: Utilization of Loophole in Website Operation (Cycle Exploit)
In the midst of July 2025, our website network faced a significant security incident. The root cause was traced back to the exploitation of critical vulnerabilities in on-premises Microsoft SharePoint servers.
Specifically, a combination of two bugs—an authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704)—was identified. Later, the attackers focused on exploiting CVE-2025-53770, which allowed unauthenticated remote code execution (RCE) by improper filtering of HTTP request headers in the ToolPane.aspx component. This enabled attackers to gain unauthorized access and control over affected SharePoint servers.
On July 12, 2025, a suspicious high staking reward was reported to our team via their Discord server. The attack tricked our network into thinking a single node had been active in the network since 2019, resulting in an improper credit of approximately 500K SHM during cycle 111165. However, regular SHM holders were not affected, and no action was required.
The attack exploited a flaw in the validation process, where a phony cycle certificate could be inserted into the 0th position of the array, bypassing the marker validation step. A mandatory security patch, Validator v1.19.3, has been released to correct the underlying flaw and implement additional defensive checks. Validators are strongly advised to ensure their nodes are running the latest patched version.
The abnormal reward of 500K SHM was voluntarily returned by the attacker, and on July 30, 2025, it was burned.
Credit is given to the community member NoviceCrypto and others for their quick reporting and monitoring of the discrepancy. As a token of appreciation, a bug bounty program will be announced to encourage responsible disclosure of vulnerabilities.
To improve proactive detection, external monitoring and alerting tools will be integrated. Additionally, a public security email list will be launched for developers, node operators, and community members. Eligible issues may qualify for rewards.
Addressing the incident involved multiple layers. Microsoft released patches for the vulnerabilities, though patching alone was insufficient if the server was already compromised. Essential remediation required rotating cryptographic keys, restarting IIS services, and removing malicious artefacts like web shells to eliminate persistent access.
Akamai and other security partners deployed rapid detection and mitigation mechanisms, including adaptive security rules and Zero Trust Network Access policies to reduce exposed attack surfaces. Ongoing investigations linked attacks to the Storm-2603 threat cluster, prompting enhanced threat intelligence sharing and monitoring.
It's important to note that the attack appears to be an isolated incident with no evidence of further impact across the network's history. Public exploit details should not be posted without acknowledgement from the security team.
To further strengthen our network's security, a Security Incident Response Playbook will be formalized and published. Potential security issues can be reported to the security team via email, Github, or Discord.
We would like to express our gratitude to our community for their vigilance and support during this incident. We are committed to maintaining the security and integrity of our network and will continue to take proactive measures to safeguard it.
- As a consequence of the cybersecurity incident in July 2025, our team will establish a Security Incident Response Playbook to address potential future issues.
- In light of the recent cyber attack, we are planning to launch a public security email list for developers, node operators, and community members to foster proactive communication and collaboration.
- Moving forward, we will implement enhanced cybersecurity measures, such as integrating external monitoring and alerting tools, to better protect our business, technology, entertainment, and sports-related ventures from potential threats.
){kind=link}