Following our recent update regarding the SharePoint CVE - CVE-2025-53770, we continued with the threat-focused hunting efforts, looking for suspicious IOC hits and TTPs.
Axon reports have been published for Team Axon customers, including a list of IOCs, IOC Sweep results, hunting queries, and hunting results. Relevant hits that require your attention will be mentioned in the AXON report. Microsoft released new patches to handle the relevant CVEs which can be found in this link https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
We continue to monitor CVE-2025-53770 and will provide further updates as necessary. If you have any questions or need further assistance, please feel free to reach out.
Sincerely, Team Axon
Posted Jul 22, 2025 - 17:23 UTC
Investigating
Team Axon is aware of a newly disclosed critical vulnerability, CVE-2025-53770, affecting Microsoft SharePoint Server (on-premise). This flaw enables remote code execution when specially crafted requests are sent to a vulnerable SharePoint instance. Exploitation does not require authentication, making this a high-risk vulnerability for exposed environments.
This issue arises from improper input validation within core SharePoint components, and successful exploitation may allow attackers to execute arbitrary code with the privileges of the SharePoint application.
We’ve observed early threat intelligence and public Proof-of-Concept (PoC) code surfacing as well as indications that this CVE is being actively exploited in the wild, increasing the urgency for immediate action.
Detection Coverage: - It is important to note that existing detections are expected to identify this activity As an example: - Suspected WebShell execution using common binary - This detector detects suspicious parent-child relationships of web server processes and commonly abused binaries to reveal the existence of a web shell.
- Rare child process of commonly abused binary - Detects process execution chains in which the child process is a built-in or "living-off-the-land" system binary, such as w3wp.exe.
Recommendations: - Use or upgrade to a supported SharePoint version: - SharePoint Server 2016, 2019, SharePoint Subscription Edition
- Make sure SharePoint is patched to the latest version: - SharePoint 2019 - KB 5002741 - Build 16.0.10417.20027 - SharePoint 2016 - KB 5002744 - Build 16.0.5508.1000
- If a patch/update is not an option, consider restricting external access to SharePoint servers.
Our team is actively researching the details and will provide updates after deeply analyzing and assessing the vulnerability, including potential deliverables such as threat hunting queries and visibility insights. Impacted customers will be notified directly.
For further assistance, please don't hesitate to contact us.