Microsoft SharePoint Zero-Day

Chinese hackers are exploiting a high-severity vulnerability in Microsoft SharePoint to steal data worldwide:

The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the vulnerability, which affects SharePoint Servers that infrastructure customers run in-house. Microsoft’s cloud-hosted SharePoint Online and Microsoft 365 are not affected.

Here’s Microsoft on patching instructions. Patching isn’t enough, as attackers have used the vulnerability to steal authentication credentials. It’s an absolute mess. CISA has more information. Also these four links. Two Slashdot threads.

This is an unfolding security mess, and quite the hacking coup.

Tags: , , , ,

Posted on July 28, 2025 at 7:09 AM21 Comments

Comments

Clive Robinson July 28, 2025 10:09 AM

@ Bruce,

With regards,

“It’s an absolute mess”

You don’t make it clear if you mean this particular Microsoft Product, or Microsoft’s software production in general…

Recent attacks have happened on a severity of 9 or greater due to a myriad of failures in the way Microsoft design, prototype, produce, and support software.

In one case Microsoft trying to fix one fault, showed crackers –we presume from reverse engineering the Microsoft issued patch– how to find and exploit similar flaws in around a day…

The fact these attacks are being found, exploits created and put into action in such a short period of time seriously suggests that Microsoft and similar need to review the way they go about things.

Further, even though Current AI LLM and ML systems are fairly bad with software, they are compared to humans incredibly fast.

It is the nature of attack progress and software development that the direction is forward. Thus we can only expect Current AI performance with analysing and developing software to “improve”.

Thus it may not be long before “patch to fielded attack” is measured in minutes not hours.

Stephen July 28, 2025 11:41 AM

Everything I’ve seen indicates this is only “on premises” deployments. SharePoint Online is (at this point) unaffected.

This seems to be a new threat model. If the time it takes to reverse-engineer an exploit from the patched binaries beats the time to test and deploy the patch into production, you’re screwed to the severity of the patched vulnerabilities.

One can envision encryption / obfuscation of the executable code to slow down automated analysis, but that performance penalty would also be borne by legitimate users.

Maybe all it takes to subscribe to a zero-day vulnerability newsletter are the license fees and the development and execution resources consumed by the automated analysis. If that’s the case, this is not a problem unique to Microsoft – unless they are releasing comparatively more patches that effectively increases the attack surface. But at least on paper, these attacks should work against any systems that receive patches from remote repositories.

lurker July 28, 2025 2:40 PM

@Stephen
“Everything I’ve seen indicates this is only “on premises” deployments. SharePoint Online is (at this point) unaffected.”

Yup, and it exposes part of the puzzle: they use “on premises” SharePont to avoid the problems of the internet, yet they still drag the dirty ole internet in …

Clive Robinson July 28, 2025 3:21 PM

@ Stephen, ALL,

With regards,

“If the time it takes to reverse-engineer an exploit from the patched binaries beats the time to test and deploy the patch into production, you’re screwed to the severity of the patched vulnerabilities.”

It’s actually “worse than that”.

When an exploit is discovered, it is always,

“An instance in a class of attacks”

This is due to the notion of “code reuse” in it’s various forms and especially in common functions like “serialisation”.

That is the class of attackable vulnerabilities is almost always bigger than just a single instance, and the number of instances will almost certainly grow with time and ongoing development.

Thus if it’s the first instance discovered in a new class there are almost certainly a significant number of instances of other attackable vulnerabilities in the class not just,

1, in the current code,
2, but in future code to come.

But also classes tend not to exist in isolation they tend to be grouped with related classes. Thus are in effect sub classes of a larger more general class.

So finding just one “new instance” means you have to fix not just,

1, that vulnerability,
2, but others in it’s class,
3, and related classes.

Which is apparently not what Microsoft did in rushing a patch out of the door they only fixed “the vulnerability”.

The allegadly Chinese attackers then reverse engineered the patch and found other vulnerabilities in the class or a closely related class.

My point about Current AI LLM and ML systems is that whilst they may not be of much use for many things, they are very good “adaptive filters” thus finding related instances and related classes of attack is something they are almost ideally suited for.

Whilst US AI firms are “going big” with “general models” that are “jack of all trades masters of none” the Chinese are going as far as we can see for smaller more specific models that are in effect “advanced tailored / expert systems” that are “masters of the trade / knowledge domain”.

Such systems are good not just at reverse engineering by pattern matching, but finding relating patterns of various relatedness.

As you note,

“If the time it takes to reverse-engineer an exploit from the patched binaries beats the time to test and deploy the patch into production, you’re screwed”

For all the instances in the class of vulnerability and all related classes.

But… Not just in that one application, in all the related applications where,

1, The code is reused (class)
2, The development methodology is the same (related classes).

Hence my question to our host @Bruce of,

“You don’t make it clear if you mean this particular Microsoft Product, or Microsoft’s software production in general…”

That is if he ment just the application or all of Microsoft’s applications.

Microsoft’s past history suggests it’s likely to be the latter.

And if it is the Chinese and they start using AI to reverse engineer patches etc then the customers of Microsoft but large software houses in general are without doubt are,

“Going to live in interesting times.”

Clive Robinson July 28, 2025 3:30 PM

@ Bruce, ALL,

To get current AI LLM and ML systems to be good at reverse engineering and finding related instances and classes of vulnerability will be a new field of endeavor.

If you think about it what is needed is a new form of tokenizer / transformer for the ML to find the correct semantic level and tune the LLM network.

I can see a few papers and PhD thesis in this area in our near future.

Something tells me also it will be less than the average 8 year lead time this blog often has on “original security domains”.

ResearcherZero July 31, 2025 2:15 AM

Digital Hammer possibly compromised. Attackers may have obtained sensitive information related to CIA technology acquisition efforts. Digital Hammer is interested in applied science in the areas of HUMINT, surveillance, counterintelligence operations, and countering Chinese language intelligence and data operations.

The CIA has not commented and not responded to questions if SharePoint was exploited.

‘https://www.washingtontimes.com/news/2025/jul/24/major-intelligence-website-hacked-search-cia-spying-secrets/

Microsoft is probing if an alert tipped of Chinese hacking groups to SharePoint flaw.
https://www.bloomberg.com/news/articles/2025-07-25/microsoft-sharepoint-hack-probe-on-whether-chinese-hackers-found-flaw-via-alert

Microsoft says it will end it’s China-based engineering support for DoD cloud computing.
https://arstechnica.com/security/2025/07/microsoft-to-stop-using-china-based-teams-to-support-department-of-defense/

ResearcherZero July 31, 2025 2:43 AM

@Stephen

Microsoft has had a program where less experienced and inadequately qualified personnel (with a security clearance) oversee the work of highly skilled foreign-based programmers and support staff, who maintain Microsoft’s Government Community Cloud (GCC) service. These people hired to supervise China-based engineers are called “digital escorts”.

Maybe all it takes to subscribe to a zero-day vulnerability newsletter are the license fees and the development and execution resources consumed by the automated analysis.

Yes. Microsoft supplies a range of services to foreign governments, including such alerts.

It says some more about the GCC program in the Ars article above and some more here…

Microsoft told ProPublica that it has disclosed details about the escort model to the federal government. But former government officials said in interviews that they had never heard of digital escorts. The program appears to be so low-profile that even the Defense Department’s IT agency had difficulty finding someone familiar with it.

“Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency.

Nevertheless, cybersecurity experts told ProPublica that foreign support for GCC presents an opportunity for spying and sabotage. “With so much data stored in cloud services—and the power of AI to analyze it quickly—even unclassified data can reveal insights that could harm US interests.”

https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers

The Nuclear Weapons Agency was also breached, along with many other organizations.
https://www.bloomberg.com/news/articles/2025-07-23/us-nuclear-weapons-agency-breached-in-microsoft-sharepoint-hack

ResearcherZero July 31, 2025 2:54 AM

@Clive Robinson

“We are surprised. Too often. By events in the world…”

counter-situational-awareness <- My new favourite term. 🙂

'https://www.tandfonline.com/doi/full/10.1080/21624887.2025.2454149

It was recommend by the intel services that Microsoft not be given a government cloud computing contract to store sensitive data, but hey… whateva.

Tech Bro it up my boyz! Hang ten and stuff.

'https://www.nbcnews.com/politics/national-security/kash-patels-new-way-leading-fbi-fewer-morning-intel-briefings-sports-e-rcna202865

FBI leadership said to be utterly clueless due to a lack of something or other.
https://www.theatlantic.com/ideas/archive/2025/07/trump-fbi-michael-feinberg/683685/

Communicating effectively with fudgewits (or not).
https://foreignpolicy.com/2025/07/03/us-intelligence-national-security-trump/

Alternatively this story says pretty much the same thing also.

'https://www.politico.com/news/2025/05/09/trump-intelligence-briefing-frequency-00338946

Bob Duncan July 31, 2025 5:27 AM

Intrusion and data collection capabilities of the Hafnium cluster and associated companies.

Hafnium previously conducted a series of attacks on Microsoft Exchange servers.

‘https://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/

Tech companies operated as fronts and to scan and research vulnerabilities.
https://nattothoughts.substack.com/p/hafnium-linked-hacker-xu-zewei-riding

Data dumps from tech companies within China’s hack-for-hire industry.
https://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/

Clive Robinson July 31, 2025 6:32 AM

Hmm got the “held for moderation… So bit by bit.

Part 1,

@ ResearcherZero, ALL,

The Bloomberg link you give is behind a paywall, and due to the nonsense Bloomberg are known to have pushed I suspect many would consider “paying it” falls under the “More money than sense” category, even though their employer or institution gets it for them or for free.

So, another link on the Microsoft MAPP deflection,

https://www.gadgets360.com/internet/news/microsoft-probing-whether-cyber-alert-tipped-off-chinese-hackers-8954665

The logic Microsoft appear to be pushing is,

1, The patch could not have been reverse engineered that fast.
2, So the attackers must have got knowledge that gave them more time.
3, Who/What can we blame to deflect from us?

Getting on for two decades ago Microsoft had a very real problem much as they have today. The methodology of their Marketing Driven software production was causing lots of “bloat issues”. That some might call a “Tsunami of Technical Debt” for good reason

Clive Robinson July 31, 2025 6:37 AM

Part 2,

of “Microsoft Foundation Class”(MFC) for Windows were well aware of this issue and the various reasons Microsoft were doing it. However one was said to be to force external app developers down a “slow path” so Microsoft internally developed Apps used a different “short path” so always looked faster in comparison. Which spawned a number of projects to find the hidden API’s (and yes some were found).

Any way using DLLs is always a compromise and almost always has three issues,

1, Kitchen sink mentality
2, Jack of all trades issues
3, Overly complex interface

Throwing every thing in “including the kitchen sink” is never a good idea as you end up with a very high “junk to use” ratio.

Making it a “one ring” for a myriad of different users using different programming languages and methodologies to be a “jack of all trades”… Makes the DLL not just “not a master of none” but have a massive degree of needless complexity that never gets properly tested.

In that needless complexity hides many vulnerabilities. Worse because the DLL is “universal” all applications have the same vulnerable code “reusable”.

Clive Robinson July 31, 2025 6:39 AM

Part 3

Thus changes needed to be made and each “patch” was in danger of effecting more than just one application etc.

Thus Microsoft needed a way to alert developers to changes. So they started a series of “partner programs” to do this.

Only once you start down this sort of rabbit hole, you discover an unfortunate side effect… Things start breeding like rabbits especially “partner programs”.

So one partner program that came along was “Microsoft Active Protections Program”(MAPP).

Another issue with such programs is once started restricting access becomes difficult. That is membership confers “status” thus enables increased profit. In short “The World and his Dog” can “make a case” and thus get entry by pulling the right strings.

As we know from Microsoft handing over the entire NT OS code base to China “business” AKA Profit overrides any concerns for “shareholder value”. And Microsoft as an Industry Flag Ship has to exceed expectations every quarter which is effectively impossible unless you routinely do less than sensible things.

One such is causing Microsoft great embarrassment currently which is the “Chinese developers developing US DoD Cloud Code”[1],

https://www.propublica.org/article/defense-department-pentagon-microsoft-digital-escort-china

How many other “cheap labour stunts” do you think Microsoft is pulling now it’s laying off US based staff by the thousands?

Clive Robinson July 31, 2025 6:41 AM

Part 4,

It’s well known in the Industry that “Indian coders cost 10% of US coders” and there are many agencies making a very great deal on exploiting this.

Whilst the US DoD “want security” Congress “will not pay for it”.

History shows this over and over.

So it’s all very well for Pete Hegseth to spout that,

“his agency would look into Microsoft’s use of foreign-based engineers to help maintain the highly sensitive cloud systems”

As his “deflection”…

But history shows as soon as the blame is passed it will be back to normal pork/grease/lobbying that makes the critters on the hill fat.

As you know the “Deflection Game” is a variation on the “hot potato game” so Microsoft are in turn “deflecting” and so on untill somebody far down the line well away from the real crooks gets burned unless they drop it.

And as we all know very soon the eyes of the MSM and Trade Press will turn else where and the “gravey train” will pick up speed again.

Clive Robinson July 31, 2025 6:43 AM

Part 5,

Note that this vulnerability was actually on “public display” “on stage” at a Hackathon some two months beforehand…

Yup, and the problem with such things is they are “done on the cheap” Microsoft only handed over $100,000 for an attack vector worth probably twenty to a hundred times that.

That was when those interested would have seen enough evidence to point them in the right direction. And it would have been then that the ball started rolling.

Clive Robinson July 31, 2025 6:44 AM

Part 6,

Are the Silicon Valley Mega Corps going to stop doing things “on the cheap”? Of course not, not as long as the “American Dream” is taught to toddlers.

Bug bounties and Hackathons are here to stay because they save the Mega Corps millions if not billions in costs they should otherwise have to pay…

[1] There was a joke doing the rounds about the F35 and it’s significant problems. China had a “look alike” that was actually flying and landing. The joke was that the US DoD should have outsourced the F35 to China to save time and costs… Looks like the joke had real teeth…

ResearcherZero August 1, 2025 1:05 AM

@Clive Robinson

It raises the question, why would we need the additional capability of new weapons and technology, backdoors and surveillance capability, AI analysis etc., if we failed to acknowledge the strategic and political intelligence which was collected and assessed from preceding decades?

Much of the military strategy pursued today was only suggested – 30 years ago – to drive home the importance and significance of warnings delivered to government at the time.

When it finally dawned on government leadership those warnings were correct, they reached in the bottom draw to see what was suggested at the time. The problem being, those suggestions were off-the-cuff remarks to shake-up the leadership from their complacency.

None of those suggestions had been studied or thought through. None of the intelligence was acted on because no-one in the government read the reports or sat in on the briefings.

Decisions made today have been made due to panic, or ancient brain-farts rattling around in the heads of people without any formal training or experience in the policy area. Bad decisions are often worse than no action at all. Bad decisions are worse still when they are driven by external influence – designed to deliberately produce strategic mistakes.

Putin has achieved changes to US foreign policy the Soviet Union pursued for a century!

Russia and Belarus cheer dismantling of USAID

‘https://www.euronews.com/2025/02/07/russia-and-belarus-cheer-dismantling-of-usaid-as-rights-groups-voice-concerns

“Most of Operation Overload’s posts went nowhere, but one managed to hook one of the political world’s biggest fish…”

https://informedalarmist.substack.com/p/a-russian-fake-news-ring-was-struggling

ResearcherZero August 1, 2025 1:17 AM

@Clive Robinson

Though you did answer this:

But history shows as soon as the blame is passed it will be back to normal pork/grease/lobbying that makes the critters on the hill fat.

Meanwhile, while the National Guard are being directed by Trump to run around and assist DHS, and DOGE has been ripping out all of U.S. internal security controls, China had probed the networks, collected the email and communications, then prepared to take advantage of a system in chaos with many of its defenses and response capability missing or unprepared.

The information would allow follow-up attacks on partners and other U.S. territories.

‘https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/

1,462 network-device configuration files harvested, along with credentials.
https://www.defense-aerospace.com/experts-warn-of-serious-escalation-after-salt-typhoon-hacks-army-national-guard-systems/

ResearcherZero August 1, 2025 1:49 AM

@Clive Robinson

Microsoft should also read its blog about malicious ViewState requests before it comments on how long it takes to diff a patch. Perhaps due consideration should be given to other vectors and vulnerabilities which Chinese tech companies may have been studying already prior to the first SharePoint CVE, and that other Microsoft software was likely being studied for vulnerabilities which would assist with the discovery of new vulnerabilities.

Even a single individual, let alone a team, can tear down Microsoft’s products and their components fairly quickly to discover how they interact, in order to produce a rough outline for an attack. Fine-tuning can then take place with very little extra input.

I’d give a capable team a day to produce a working concept.

https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

Clive Robinson August 1, 2025 6:26 AM

@ ResearcherZero, ALL,

With regards,

“I’d give a capable team a day to produce a working concept.”

The key word there is “capable”, and like “common sense” it is a rare commodity thus very limited resource.

Which means that even a Level III (State / major Corp) entity will be constrained by the resource limitation.

Now we know that due to the nature of “code reuse” in various forms, vulnerabilities will have numerous instances in the class, and most likely several associated classes.

The thing about Current AI LLM and ML systems is that they do semi-stochastic pattern matching. That is they will see the vulnerability shape even if fine detail varies.

Thus how fast would an appropriately trained LLM network to find the many variants from the single instance?

And how long after that to cobble together PoC code for all of them?

Because that is the direction I see things going in in the next few years.

Oh and because the ML input will be specific rather than general, the size of LLM network does not have to be large.

I suspect it a useful version will fit on a laptop or small cluster.

As we’ve seen the Chinese are already significantly researching and are it appears well ahead on the design and implementation of these smaller LLMs.

How long do you reckon it will take a year maybe two?

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.