US cybersecurity agency CISA has urged organisations to “manually inspect and investigate” their Sharepoint environments after a wave of attacks that exploited a Microsoft vulnerability and botched patches. 

“Malware deployed via .dll payloads in particular are difficult to detect, and can be used to obtain machine keys. Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the IIS web server,” CISA urged IT leaders. 

“Even if AMSI is enabled during the rotate, patch, rotate process, IIS must be restarted using iisreset.exe. If IIS is restarted without manually removing malicious module entries from applicationHost.config and web.config files, any malicious modules will persist and reload when IIS restarts.” – CISA, July 31

It recently updated its guidance as organisations continue threat-hunting in the wake of a wave of attacks exploiting a zero day later allocated CVE-2025-53770. On-prem SharePoint (2016, 2019, or Subscription Edition) exposed to the internet have all been in the blast radius.

See also: Microsoft CISO Igor Tsyganskiy: Our defense posture is improving

Initial attacks by a Chinese APT have been followed by cybercriminals dropping ransomware. The attackers are stealing SharePoint MachineKeys. (If you patch but don't rotate your keys, they still own your machine.)

Palo Alto Networks’ Unit42 said on July 31 that it had spotted post-exploitation deployment of “4L4MD4R ransomware, a variant of the open-source Mauri870 ransomware. A failed exploitation attempt on July 27, 2025, involving an encoded PowerShell command, led to the discovery of a loader designed to download and execute the ransomware from hxxps://ice.theinnovationfactory[.]it/static/4l4md4r.exe (145.239.97[.]206). The PowerShell command attempted to disable real-time monitoring and bypass certificate validation…”

Sharepoint CVE-2025-53770 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. Vulnerabilities CVE-2025-49706 and CVE-2025-49704 were added to KEV on July 22. 

CVE-2025-53771 (a patch bypass for CVE-2025-49706) and CVE-2025-53770 (a patch bypass for CVE-2025-49704) are also a risk, although not confirmed actively exploited yet, according to Redmond. 

Among those reported breached are the US’s. National Nuclear Security Administration, the Department of Education, and government networks in Europe and the Middle East. The incident comes as CISA warned that in a separate penetration testing engagement for a critical national infrastructure provider in the US it had seen dire basic cyber hygiene – a report that left us thinking we should re-emphasise the Sharepoint guidance.

Testing the CNI provider’s security posture it found “insecurely stored credentials; shared local administrator (admin) credentials across many workstations; unrestricted remote access for local admin accounts; insufficient network segmentation configuration between IT and operational technology (OT) assets; and several device misconfigurations.”

  • CISA’s latest Sharepoint security advisory is here
The link has been copied!