Weekly Security Update: Focus on SharePoint, Initramfs, and Additional Topics
The discovery of critical zero-day vulnerabilities in Microsoft's SharePoint by Khoa Dinh and the Viettel Cyber Security team has sent ripples through the cybersecurity community. These flaws, identified as CVE-2025-53770, CVE-2025-49704, and CVE-2025-49706, allow remote code execution (RCE) and unauthorized access to on-premises SharePoint servers.
The key vulnerability, CVE-2025-53770, is a deserialization flaw in SharePoint Server. It exploits the way SharePoint deserializes untrusted objects, enabling attackers to issue commands before authentication occurs. This vulnerability, related to but more severe than CVE-2025-49704, is leveraged through a specific exploit chain inside the SharePoint endpoint.
The initial exploit involves attackers sending specially crafted POST requests to the vulnerable SharePoint endpoint, exploiting how SharePoint renders controls, leading to the execution of embedded PowerShell commands on the server. This allows the deployment of a malicious web shell named spinstall0.aspx in the layouts directory, providing further interaction with the compromised server.
Attackers can then extract the ValidationKey and DecryptionKey—cryptographic secrets used by SharePoint to authenticate users and protect sessions. With these keys, they can forge authentication tokens, impersonate users, and sign malicious payloads, achieving durable remote code execution without revisiting the original exploit vector.
The exploitation details also reveal that this method allows attackers to persist even if the web shell or initial vulnerability is remediated. They can move laterally within the victim’s network, blending activity with legitimate SharePoint operations, complicating detection.
The live exploitation of these SharePoint vulnerabilities appears to be coming from a set of Chinese threat actors. Microsoft has acknowledged the active exploitation in the wild, with over 75 organizations breached as of July 2025. They emphasize that SharePoint Online (cloud service) is unaffected, but on-premises installations remain at high risk until patches are fully deployed.
Microsoft issued an emergency patch to address the bypasses on July 20th, following confirmation of their existence on July 19th. It's crucial for organizations using SharePoint on-premises to deploy this patch as soon as possible to mitigate the risks posed by these vulnerabilities.
In other news, Akamai has reported a new strain of malware, Coyote, targeting Brazilian Windows users. The new attack described targets the initramfs in Linux systems, providing a potential opportunity for modification. Meanwhile, a security disturbance started with a competition called Pwn2Own Berlin in May, leading to the discovery of vulnerabilities in the Guest Authentication Service (VGAuth) of VMWare, allowing a limited-privilege user on a Virtual Windows machine to abuse the service and gain SYSTEM privileges.
As the cyber threat landscape continues to evolve, it's essential for organisations to stay vigilant and proactive in protecting their systems and data.
- The discovery of such critical vulnerabilities in SharePoint has emphasized the need for organizations to prioritize hardware updates, ensuring their systems run on the latest technology to mitigate risks.
- Moreover, the ongoing cybersecurity concerns, such as the exploitation of CVE-2025-53770 in SharePoint and the emergence of Coyote malware, highlight the importance of data-and-cloud-computing best practices in safeguarding sensitive information.
