A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed “ToolShell,” enabling attackers to gain complete remote control over vulnerable systems without authentication.

Eye Security, a Dutch cybersecurity firm, identified the active exploitation on July 18, 2025, revealing what security researchers describe as one of the most rapid transitions from proof-of-concept to mass exploitation in recent memory.

Key Takeaways

1. A critical SharePoint vulnerability (“ToolShell”) is being actively exploited, giving attackers full, unauthenticated server control.

2. The attack steals server keys to bypass security and install persistent backdoors.

3. Patch immediately and scan for existing compromise, as the patch won’t remove attackers already inside.

From Research to Weaponization in 72 Hours

The vulnerability chain combines two critical security flaws, CVE-2025-49706 and CVE-2025-49704, originally demonstrated at Pwn2Own Berlin 2025 in May by security researchers from CODE WHITE GmbH, a German offensive security firm.

The exploit remained dormant until July 15, 2025, when CODE WHITE publicly shared their detailed findings on social media platforms after Microsoft’s official patch release.

Within just 72 hours of public disclosure, threat actors had successfully operationalized the exploit for large-scale coordinated attacks.

Eye Security’s comprehensive investigation revealed that attackers began systematic mass exploitation on July 18, 2025, around 18:00 Central European Time, initially using IP address 107.191.58.76.

A second distinct wave of attacks emerged from 104.238.159.149 on July 19, 2025, at 07:28 CET, clearly indicating a well-coordinated international campaign.

The ToolShell exploit bypasses traditional authentication mechanisms by targeting SharePoint’s vulnerable /_layouts/15/ToolPane.aspx endpoint.

Unlike conventional web shells designed primarily for command execution, the malicious payload specifically extracts sensitive cryptographic keys from SharePoint servers, including critical ValidationKey and DecryptionKey materials.

“This wasn’t your typical webshell,” explained Eye Security researchers in their detailed technical analysis. “The attacker turns SharePoint’s inherent trust in its own configuration into a powerful weapon”.

Once these cryptographic secrets are successfully obtained, attackers can craft completely valid __VIEWSTATE payloads to achieve complete remote code execution without requiring any user credentials whatsoever.

The sophisticated attack leverages techniques similar to CVE-2021-28474, exploiting SharePoint’s deserialization and control rendering processes.

By obtaining the server’s ValidationKey, attackers can digitally sign malicious payloads that SharePoint automatically accepts as legitimate trusted input, effectively bypassing all existing security controls and defensive measures.

Eye Security’s comprehensive scan of over 1,000 SharePoint servers deployed worldwide revealed dozens of actively compromised systems across multiple organizations.

The cybersecurity firm immediately initiated responsible disclosure procedures, directly contacting all affected organizations and national Computer Emergency Response Teams (CERTs) across Europe and internationally.

ToolShell SharePoint Exploit Attack Statistics and Impact Analysis

Microsoft has officially acknowledged the active exploitation threat, assigning a new CVE identifier (CVE-2025-53770) to track the specific variant being used in live attacks.

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.

We have outlined mitigations and detections in our blog. Our team is working urgently to release… — Security Response (@msftsecresponse) July 20, 2025

The company released comprehensive security patches for all affected versions, including SharePoint Server 2016, 2019, and Subscription Edition, as part of their July 2025 security update cycle.

Organizations running vulnerable SharePoint versions must immediately apply Microsoft’s July 2025 security updates without delay.

The affected builds include SharePoint 2016 versions prior to 16.0.5508.1000 (KB5002744), SharePoint 2019 versions prior to 16.0.10417.20027 (KB5002741), and Subscription Edition versions prior to 16.0.18526.20424.

Microsoft explicitly states that no alternative workarounds exist; only complete, immediate patching eliminates this critical vulnerability completely today.

SharePoint “ToolShell” Exploit Indicators of Compromise (IoCs)

IoC Type Indicator Description IP Address 107.191.58[.]76 Source IP of the first exploit wave on July 18, 2025. 104.238.159[.]149 Source IP of the second exploit wave on July 19, 2025. User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string used during exploitation. Also seen in URL-encoded format for IIS logs. URL / Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx The exploit path used to trigger the initial vulnerability (CVE-2025-49706). GET /_layouts/15/.aspx Request to the malicious ASPX file planted to dump cryptographic keys. (Filename not disclosed). File Hash (SHA256) 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030 Hash of the initial web shell observed. b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70 Another associated malicious file hash. fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7 Hash of a payload specifically targeting the __VIEWSTATE .

Organizations must also conduct thorough, comprehensive compromise assessments immediately, as these sophisticated attacks enable persistent access that survives patching, system reboots, and standard security scans.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now

Patch Tuesday It’s Patch Tuesday time again, and Microsoft is warning that there are a bunch of critical fixes to sort out – and two actively exploited bugs.

Redmond reported 66 flaws to be fixed in its monthly patch bundle, including one that was a zero-day until 1000 Pacific Time today. There are ten critical patches, but two of the important ones are under active exploitation, and Microsoft has taken the unusual step of issuing patches for one bug all the way back to out-of-support platforms like Windows Server 2008 and the three-years-dead Internet Explorer’s underlying components.

The hole, CVE-2025-33053, has been exploited since March by the Stealth Falcon hacking crew, who have been active for over 10 years and have made a name for themselves exploiting zero-days in targeted attacks across the Middle East. The vulnerability is in the Web Distributed Authoring and Versioning (WebDAV) remote file sharing and collaboration extension, and it’s a one-click hit – follow the wrong link, and the attacker can do remote code execution at the local level.

The CVSS 8.8-ranked flaw was found by researchers at Check Point when it was used against a Turkish defense company to insert malware that allowed for data exfiltration and included a custom keylogger.

Here’s what Eli Smadja, a research group manager at Check Point, told us about the attack via email:

The attack starts when the victim clicks on a URL file disguised as a PDF. This strategy is often used in highly targeted spear-phishing campaigns, such as those carried out by Stealth Falcon. Attackers carefully create email content and attachment names to look genuine and lure the target into clicking. The write-up lacks examples of recent attack emails. However, the URL file’s name we discovered were precisely customized for the target, leading us to believe that the email itself would also be aimed specifically at them. Moreover, the older emails referenced in the write-up were crafted to suit their particular targets.

The second exploited flaw is in the Chromium V8 JavaScript engine from Google that Edge uses. Google patched CVE-2025-5419 last week and now Redmond is adding it to its bundle to mask off the memory corruption issue.

Cover those crits

Next on the priority list should be CVE-2025-33073, an escalation of privilege vulnerability in the Windows SMB Client that has been publicly disclosed with proof-of-concept code, but not yet exploited. Also rated CVSS 8.8, it would allow an attacker to get SYSTEM privileges if the user was tricked into signing onto a malicious server.

There are ten critical issues that should be on the to-do-as-soon-as-possible list. Four of them are in Office, all with CVSS 8.4 scores, the first three tagged as “Exploitation More Likely,” and they all use the Preview Pane as a way to gain access.

CVE-2025-47162 – A heap-based buffer overflow bug that allows local attackers to execute arbitrary code.

CVE-2025-47164 – A use-after-free vulnerability that can lead to arbitrary code execution via local access.

CVE-2025-47167 – A type confusion bug that enables local code execution. Microsoft 365 users may not see the fix immediately, depending on their update channel.

CVE-2025-47953 – A use-after-free flaw that enables local code execution. Microsoft considers this one less likely to be exploited.

There are four more critical remote code execution patches:

CVE-2025-47172 for SharePoint, which would allow an authenticated network attacker to execute code remotely.

CVE-2025-29828, which fixes a memory leakage problem in Windows Schannel.

CVE-2025-32710 for Remote Desktop Gateway, which would allow unauthorized access to the target machine.

CVE-2025-33071 for Windows KDC Proxy Service, which Microsoft describes as a “cryptographic protocol vulnerability.”

The remaining two critical fixes are CVE-2025-47966 and CVE-2025-33070, both elevation-of-privilege flaws. The first, in Microsoft Power Automate, carries a CVSS score of 9.8 and was patched earlier this month, after Microsoft flagged its high-risk potential. The second targets Windows Netlogon and, according to Microsoft, would require a “complex” attack to exploit, but still worth patching.

Outside the critical pile, this month’s patch batch includes a raft of important updates for Office and the Storage Management Provider.

Adobe and the rest

Users of Adobe Commerce need to get moving, as Adobe has placed these on its priority one to-fix list, whereas all its other patches get the lowest priority-three ranking.

The Commerce fixes are for versions 2.4.8 and older, and there are fixes for Commerce B2B for anyone running version 1.5.2 and below. Magento Open Source from version 2.4.8 also needs a fast fix. Thankfully there are no known exploits for this so far.

The award for the largest update by Adobe goes to Experience Manager, which contains fixes for 254 CVEs – mostly important but with two criticals and two moderates. The important fixes all cross-site scripting issues that would allow arbitrary code execution.

Adobe’s flagship app Acrobat gets 10 fixes, four of them critical, including three use-after-free memory issues in Windows and macOS systems. Unusually there’s nothing to fix in Photoshop this month.

InDesign gets nine patches, five of which are critical and would, if exploited, allow code execution. Meanwhile InCopy has a couple of critical out-of-bounds flaws to fix, as does Substance 3D Sampler, while 3D Painter gets a single critical with the same type of issue.

Fortinet’s software fixers have had a busy time of it thanks to security researchers at the telco Orange, who found the CVE-2023-42788 flaw in FortiAnalyzer 7.4 a couple of years back. Last month, the issue was patched in FortiManager Cloud, and this month FortiAnalyzer-Cloud also got an update to sort out the issue.

SAP traditionally piggybacks on Patch Tuesday as well, and this month was no exception, with 14 issues sorted out. The only critical patch is CVE-2025-42989, an issue with the NetWeaver Application Server, which gets a 9.6 CVSS score, while the rest are mostly missing authorization checks in S/4HANA. ®

Microsoft has released its June 2025 Patch Tuesday security updates, addressing a total of 66 vulnerabilities across its software ecosystem.

This month’s updates include fixes for ten critical vulnerabilities and two zero-day flaws, one of which is actively exploited in the wild and another that was publicly disclosed.

The patches cover a wide range of products, including Windows, Microsoft Office, .NET, Visual Studio, and more.

Microsoft Patch Tuesday June – Key Highlights

66 vulnerabilities patched, including 13 elevation of privilege, 25 remote code execution, 17 information disclosure, 6 denial of service, 3 security feature bypass, and 2 spoofing vulnerabilities.

Ten critical vulnerabilities, with eight remote code execution flaws and two elevation of privilege bugs.

Two zero-day vulnerabilities, one actively exploited and one publicly disclosed, posing immediate risks to unpatched systems.

Updates do not include fixes for Mariner, Microsoft Edge, or Power Automate, which were addressed earlier this month.

Here is a table listing the vulnerabilities, with those rated as Critical at the top, followed by the Important vulnerabilities:

Two Zero-Day Vulnerabilities in Focus

1. CVE-2025-33053 – Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability (Actively Exploited)

This actively exploited zero-day vulnerability affects Microsoft Windows Web Distributed Authoring and Versioning (WebDAV).

Discovered by Alexandra Gofman and David Driker of Check Point Research, the flaw allows a remote attacker to execute arbitrary code on a victim’s system if the user clicks a specially crafted WebDAV URL.

According to Check Point Research, “Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.” Microsoft has confirmed that the vulnerability is being exploited in the wild, though specific details about the attacks remain undisclosed.

2. CVE-2025-33073 – Windows SMB Client Elevation of Privilege Vulnerability (Publicly Disclosed)

This publicly disclosed zero-day vulnerability resides in the Windows SMB (Server Message Block) client, enabling attackers to gain SYSTEM-level privileges on vulnerable devices.

Microsoft explains that “improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network” by executing a malicious script that coerces the victim’s machine to authenticate via SMB to the attacker’s system.

The flaw was reported by multiple researchers, including Keisuke Hirata (CrowdStrike), Synacktiv, Stefan Walter (SySS GmbH), RedTeam Pentesting GmbH, and James Forshaw (Google Project Zero).

Born City noted that DFN-CERT issued warnings about the flaw following alerts from RedTeam Pentesting.

While a patch is now available, Microsoft suggests mitigating the issue by enforcing server-side SMB signing through Group Policy.

Critical Vulnerabilities Addressed

Among the ten critical vulnerabilities patched, eight are remote code execution flaws affecting products like Microsoft Office, SharePoint Server, Windows Cryptographic Services, Windows KDC Proxy Service, Windows Netlogon, and Windows Remote Desktop Services.

The two critical elevation of privilege vulnerabilities impact Windows Netlogon and other components.

These critical flaws could allow attackers to take full control of affected systems, making timely patching essential.

Notable critical vulnerabilities include:

CVE-2025-47164, CVE-2025-47167, CVE-2025-47162, CVE-2025-47953 (Microsoft Office): Remote code execution vulnerabilities that could allow attackers to execute malicious code via specially crafted Office files.

Remote code execution vulnerabilities that could allow attackers to execute malicious code via specially crafted Office files. CVE-2025-47172 (Microsoft SharePoint Server): A critical remote code execution flaw that could compromise SharePoint environments.

A critical remote code execution flaw that could compromise SharePoint environments. CVE-2025-29828 (Windows Schannel): A critical remote code execution vulnerability in Windows Cryptographic Services.

A critical remote code execution vulnerability in Windows Cryptographic Services. CVE-2025-32710 (Windows Remote Desktop Services): A critical remote code execution flaw that could be exploited over a network.

The June 2025 Patch Tuesday also addresses numerous important-severity vulnerabilities, including:

Windows Storage Management Provider: Thirteen information disclosure vulnerabilities (e.g., CVE-2025-24065, CVE-2025-33055) that could leak sensitive data.

Thirteen information disclosure vulnerabilities (e.g., CVE-2025-24065, CVE-2025-33055) that could leak sensitive data. Microsoft Office Components: Multiple remote code execution flaws in Excel, Outlook, PowerPoint, and Word (e.g., CVE-2025-47165, CVE-2025-47171, CVE-2025-47175).

Multiple remote code execution flaws in Excel, Outlook, PowerPoint, and Word (e.g., CVE-2025-47165, CVE-2025-47171, CVE-2025-47175). Windows SMB: Another elevation of privilege vulnerability (CVE-2025-32718) alongside the zero-day CVE-2025-33073.

Another elevation of privilege vulnerability (CVE-2025-32718) alongside the zero-day CVE-2025-33073. Windows Secure Boot: A security feature bypass vulnerability (CVE-2025-3052) in InsydeH2O, reported by Cert CC.

Tag CVE ID CVE Title Severity Microsoft Office CVE-2025-47164 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47167 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47162 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47953 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office SharePoint CVE-2025-47172 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical Windows Cryptographic Services CVE-2025-29828 Windows Schannel Remote Code Execution Vulnerability Critical Windows KDC Proxy Service (KPSSVC) CVE-2025-33071 Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability Critical Windows Netlogon CVE-2025-33070 Windows Netlogon Elevation of Privilege Vulnerability Critical Windows Remote Desktop Services CVE-2025-32710 Windows Remote Desktop Services Remote Code Execution Vulnerability Critical .NET and Visual Studio CVE-2025-30399 .NET and Visual Studio Remote Code Execution Vulnerability Important App Control for Business (WDAC) CVE-2025-33069 Windows App Control for Business Security Feature Bypass Vulnerability Important Microsoft AutoUpdate (MAU) CVE-2025-47968 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability Important Microsoft Local Security Authority Server (lsasrv) CVE-2025-33056 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important Microsoft Office CVE-2025-47173 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2025-47165 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2025-47174 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47171 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47176 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office PowerPoint CVE-2025-47175 Microsoft PowerPoint Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47166 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47163 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47170 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47957 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47169 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47168 Microsoft Word Remote Code Execution Vulnerability Important Nuance Digital Engagement Platform CVE-2025-47977 Nuance Digital Engagement Platform Spoofing Vulnerability Important Remote Desktop Client CVE-2025-32715 Remote Desktop Protocol Client Information Disclosure Vulnerability Important Visual Studio CVE-2025-47959 Visual Studio Remote Code Execution Vulnerability Important WebDAV CVE-2025-33053 Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability Important Windows Common Log File System Driver CVE-2025-32713 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows DHCP Server CVE-2025-33050 DHCP Server Service Denial of Service Vulnerability Important Windows DHCP Server CVE-2025-32725 DHCP Server Service Denial of Service Vulnerability Important Windows DWM Core Library CVE-2025-33052 Windows DWM Core Library Information Disclosure Vulnerability Important Windows Hello CVE-2025-47969 Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability Important Windows Installer CVE-2025-33075 Windows Installer Elevation of Privilege Vulnerability Important Windows Installer CVE-2025-32714 Windows Installer Elevation of Privilege Vulnerability Important Windows Kernel CVE-2025-33067 Windows Task Scheduler Elevation of Privilege Vulnerability Important Windows Local Security Authority (LSA) CVE-2025-33057 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important Windows Local Security Authority Subsystem Service (LSASS) CVE-2025-32724 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability Important Windows Media CVE-2025-32716 Windows Media Elevation of Privilege Vulnerability Important Windows Recovery Driver CVE-2025-32721 Windows Recovery Driver Elevation of Privilege Vulnerability Important Windows Remote Access Connection Manager CVE-2025-47955 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important Windows Routing and Remote Access Service (RRAS) CVE-2025-33064 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important Windows Routing and Remote Access Service (RRAS) CVE-2025-33066 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important Windows SDK CVE-2025-47962 Windows SDK Elevation of Privilege Vulnerability Important Windows Secure Boot CVE-2025-3052 Cert CC: CVE-2025-3052 InsydeH2O Secure Secure Boot Bypass Important Windows Security App CVE-2025-47956 Windows Security App Spoofing Vulnerability Important Windows Shell CVE-2025-47160 Windows Shortcut Files Security Feature Bypass Vulnerability Important Windows SMB CVE-2025-33073 Windows SMB Client Elevation of Privilege Vulnerability Important Windows SMB CVE-2025-32718 Windows SMB Client Elevation of Privilege Vulnerability Important Windows Standards-Based Storage Management Service CVE-2025-33068 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important Windows Storage Management Provider CVE-2025-24065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24068 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24069 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-32719 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-32720 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33055 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33058 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33059 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33060 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33061 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33062 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33063 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Port Driver CVE-2025-32722 Windows Storage Port Driver Information Disclosure Vulnerability Important Windows Win32K – GRFX CVE-2025-32712 Win32k Elevation of Privilege Vulnerability Important

Updates from Other Vendors

In addition to Microsoft, several other vendors released security updates in June 2025:

Adobe: Patches for InCopy, Experience Manager, Commerce, InDesign, and Acrobat Reader.

Cisco: Fixes for three vulnerabilities in Identity Services Engine and Customer Collaboration Platform.

Fortinet: Updates for an OS command injection flaw in FortiManager and FortiAnalyzer.

Google: Android and Chrome updates, including a fix for an actively exploited Chrome zero-day.

SAP: Security updates for a critical missing authorization check in SAP NetWeaver.

Recommendations

Organizations and individuals are urged to apply the June 2025 Patch Tuesday updates as soon as possible, particularly due to the actively exploited zero-day (CVE-2025-33053) and the publicly disclosed flaw (CVE-2025-33073).

Prioritize patching systems exposed to the internet, such as those running WebDAV or SMB services, and ensure critical vulnerabilities in Office and Windows components are addressed promptly.

For more details on non-security updates, refer to Microsoft’s articles on Windows 11 KB5060842 and KB5060999, and Windows 10 KB5060533 cumulative updates. To view the full list of resolved vulnerabilities, visit Microsoft’s Security Update Guide.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates

Today is Microsoft’s June 2025 Patch Tuesday, which includes security updates for 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed.

This Patch Tuesday also fixes ten “Critical” vulnerabilities, eight being remote code execution vulnerabilities and two being elevation of privileges bugs.

The number of bugs in each vulnerability category is listed below:

13 Elevation of Privilege Vulnerabilities

3 Security Feature Bypass Vulnerabilities

25 Remote Code Execution Vulnerabilities

17 Information Disclosure Vulnerabilities

6 Denial of Service Vulnerabilities

2 Spoofing Vulnerabilities

This count does not include Mariner, Microsoft Edge, and Power Automate flaws fixed earlier this month.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5060842 and KB5060999 cumulative updates and the Windows 10 KB5060533 cumulative update.

Two zero-days

This month’s Patch Tuesday fixes one actively exploited zero-day and one publicly disclosed vulnerability. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The actively exploited zero-day vulnerability in today’s updates is:

CVE-2025-33053 – Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability

Microsoft fixed a remote code execution vulnerability discovered by Check Point Research

“A remote code execution vulnerability exists in Microsoft Windows Web Distributed Authoring and Versioning. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system,” reads a Check Point Research advisory.

Microsoft’s advisory further states that a user must click on a specially crafted WebDav URL for the flaw to be exploited.

A new report by Check Point Research explains that CVE-2025-33053 was exploited in zero-day attacks by an APT group named “Stealth Falcon”.

“In March 2025, Check Point Research identified an attempted cyberattack against a defense company in Turkey,” explained Check Point.

“The threat actors used a previously undisclosed technique to execute files hosted on a WebDAV server they controlled, by manipulating the working directory of a legitimate built-in Windows tool.”

“Following responsible disclosure, Microsoft assigned the vulnerability CVE-2025-33053 and released a patch on June 10, 2025, as part of their June Patch Tuesday updates.”

Microsoft attributes the discovery of this flaw to Alexandra Gofman and David Driker (Check Point Research).

The publicly disclosed zero-day is:

CVE-2025-33073 – Windows SMB Client Elevation of Privilege Vulnerability

Microsoft fixes a flaw in Windows SMB that allows attackers to gain SYSTEM privileges on vulnerable devices.

“Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network,” explains Microsoft.

“To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege,” further explains Microsoft.

Microsoft has not shared how the flaw was publicly disclosed. However, Born City reports that DFN-CERT (Computer Emergency Response Team of the German Research Network) began circulating warnings from RedTeam Pentesting about the flaw this week.

While an update is now available, the flaw can reportedly be mitigated by enforcing server-side SMB signing via Group Policy.

Microsoft attributes the discovery of this flaw to multiple researchers, including Keisuke Hirata with CrowdStrike, Synacktiv research with Synacktiv, Stefan Walter with SySS GmbH, RedTeam Pentesting GmbH, and James Forshaw of Google Project Zero.

Recent updates from other companies

Other vendors who released updates or advisories in June 2025 include:

The June 2025 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the June 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Tag CVE ID CVE Title Severity .NET and Visual Studio CVE-2025-30399 .NET and Visual Studio Remote Code Execution Vulnerability Important App Control for Business (WDAC) CVE-2025-33069 Windows App Control for Business Security Feature Bypass Vulnerability Important Microsoft AutoUpdate (MAU) CVE-2025-47968 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability Important Microsoft Local Security Authority Server (lsasrv) CVE-2025-33056 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important Microsoft Office CVE-2025-47164 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47167 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47162 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47173 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office CVE-2025-47953 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office Excel CVE-2025-47165 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2025-47174 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47171 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47176 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office PowerPoint CVE-2025-47175 Microsoft PowerPoint Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47172 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical Microsoft Office SharePoint CVE-2025-47166 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47163 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47170 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47957 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47169 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47168 Microsoft Word Remote Code Execution Vulnerability Important Nuance Digital Engagement Platform CVE-2025-47977 Nuance Digital Engagement Platform Spoofing Vulnerability Important Remote Desktop Client CVE-2025-32715 Remote Desktop Protocol Client Information Disclosure Vulnerability Important Visual Studio CVE-2025-47959 Visual Studio Remote Code Execution Vulnerability Important WebDAV CVE-2025-33053 Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability Important Windows Common Log File System Driver CVE-2025-32713 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Cryptographic Services CVE-2025-29828 Windows Schannel Remote Code Execution Vulnerability Critical Windows DHCP Server CVE-2025-33050 DHCP Server Service Denial of Service Vulnerability Important Windows DHCP Server CVE-2025-32725 DHCP Server Service Denial of Service Vulnerability Important Windows DWM Core Library CVE-2025-33052 Windows DWM Core Library Information Disclosure Vulnerability Important Windows Hello CVE-2025-47969 Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability Important Windows Installer CVE-2025-33075 Windows Installer Elevation of Privilege Vulnerability Important Windows Installer CVE-2025-32714 Windows Installer Elevation of Privilege Vulnerability Important Windows KDC Proxy Service (KPSSVC) CVE-2025-33071 Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability Critical Windows Kernel CVE-2025-33067 Windows Task Scheduler Elevation of Privilege Vulnerability Important Windows Local Security Authority (LSA) CVE-2025-33057 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important Windows Local Security Authority Subsystem Service (LSASS) CVE-2025-32724 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability Important Windows Media CVE-2025-32716 Windows Media Elevation of Privilege Vulnerability Important Windows Netlogon CVE-2025-33070 Windows Netlogon Elevation of Privilege Vulnerability Critical Windows Recovery Driver CVE-2025-32721 Windows Recovery Driver Elevation of Privilege Vulnerability Important Windows Remote Access Connection Manager CVE-2025-47955 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important Windows Remote Desktop Services CVE-2025-32710 Windows Remote Desktop Services Remote Code Execution Vulnerability Critical Windows Routing and Remote Access Service (RRAS) CVE-2025-33064 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important Windows Routing and Remote Access Service (RRAS) CVE-2025-33066 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important Windows SDK CVE-2025-47962 Windows SDK Elevation of Privilege Vulnerability Important Windows Secure Boot CVE-2025-3052 Cert CC: CVE-2025-3052 InsydeH2O Secure Boot Bypass Important Windows Security App CVE-2025-47956 Windows Security App Spoofing Vulnerability Important Windows Shell CVE-2025-47160 Windows Shortcut Files Security Feature Bypass Vulnerability Important Windows SMB CVE-2025-33073 Windows SMB Client Elevation of Privilege Vulnerability Important Windows SMB CVE-2025-32718 Windows SMB Client Elevation of Privilege Vulnerability Important Windows Standards-Based Storage Management Service CVE-2025-33068 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important Windows Storage Management Provider CVE-2025-32719 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24068 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33055 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24069 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33060 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33059 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33062 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33061 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33058 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-32720 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33063 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Port Driver CVE-2025-32722 Windows Storage Port Driver Information Disclosure Vulnerability Important Windows Win32K – GRFX CVE-2025-32712 Win32k Elevation of Privilege Vulnerability Important

A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.

In May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a “ToolShell” attack demonstrated at Pwn2Own Berlin to achieve remote code execution.

While Microsoft patched both ToolShell flaws as part of the July Patch Tuesday, it is now warning that a variant of CVE-2025-49706, tracked as CVE-2025-53770, is being actively exploited in the wild.

“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers,” warns Microsoft.

“The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.”

Microsoft states that the flaw does not impact Microsoft 365 and is working on a security update, which will be released as soon as possible.

To mitigate the flaw, Microsoft recommends that customers enable AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers.

Microsoft AMSI (Antimalware Scan Interface) is a security feature that allows applications and services to pass potentially malicious content to an installed antivirus solution for real-time scanning. It’s commonly used to inspect scripts and code in memory, helping detect and block obfuscated or dynamic threats.

Microsoft says that enabling these mitigations will prevent unauthenticated attacks from exploiting the flaw.

The company notes that this feature is enabled by default since the September 2023 security updates for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

If you cannot enable AMSI, Microsoft says that SharePoint servers should be disconnected from the internet until a security update is released.

To detect if a SharePoint server has been compromised, admins can check if the C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx exists.

Microsoft also shared the following Microsoft 365 Defender query that can be used to check for this file:

eviceFileEvents | where FolderPath has “MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS” | where FileName =~ “spinstall0.aspx” or FileName has “spinstall0” | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc

Further IOCs and technical information are shared below.

Exploited in RCE attacks

The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 29 organizations have already been compromised by the attacks.

Eye Security first observed attacks on July 18th after receiving an alert from one of their customers’ EDR agents that a suspicious process tied to an uploaded malicious .aspx file was launched.

IIS logs showed that a POST request was made to _layouts/15/ToolPane.aspx with an HTTP referer of /_layouts/SignOut.aspx.

Upon investigation, it was determined that threat actors have weaponized the Pwn2Own ToolShell vulnerability soon after CODE WHITE GmbH replicated the exploit and Soroush Dalili shared further technical details about the web referer last week.

“We have reproduced ‘ToolShell’, the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it’s really just one request!,” posted CODE WHITE GmbH to X.

Demonstration of the created Microsoft SharePoint ToolShell exploit

Source: CODE WHITE GmbH

As part of the exploitation, attackers upload a file named “spinstall0.aspx,” which is used to steal the Microsoft SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey.

“Now, with the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers appear to extract the ValidationKey directly from memory or configuration,” explains Eye Security.

“Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads using a tool called ysoserial as shown in the example below.

“Using ysoserial the attacker can generate it’s own valid SharePoint tokens for RCE.”

Malicious spinstall0.aspx used to steal ValidationKey

Source: BleepingComputer

ViewState is used by ASP.NET, which powers SharePoint, to maintain the state of web controls between web requests. However, if it’s not adequately protected or if the server’s ValidationKey is exposed, the ViewState can be tampered with to inject malicious code that executes on the server when deserialized.

Eye Security CTO Piet​​​​ Kerkhofs told BleepingComputer that they have conducted scans of the internet for compromised servers and found 29 organizations impacted in the attacks.

“Although we identified 85+ compromised SharePoint Servers worldwide, we were able to cluster them down to the organizations affected,” Kerkhofs told BleepingComputer.

“When clustered, we can confirm 29 organisations have been fallen victim. Of those 29 organisations, there are several multi-nationals and national government entities.”

Kerkhofs also told BleepingComputer that some firewall vendors are successfully blocking CVE-2025-49704 payloads attached to HTTP POST requests. However, Kerkhofs warned that if the attackers can bypass the signature, many more SharePoint servers will likely be hit.

The following IOCs were shared to help defenders determine if their SharePoint servers were compromised:

Exploitation from IP address 107.191.58[.]76 seen by Eye Security on July 18th

seen by Eye Security on July 18th Exploitation from IP address 104.238.159[.]149 seen by Eye Security on July 19th.

seen by Eye Security on July 19th. Exploitation from IP address 96.9.125[.]147 seen by Palo Alto Networks.

seen by Palo Alto Networks. Creation of C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx file.

file. IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx and a HTTP referer of _layouts/SignOut.aspx .

If the presence of any of these IOCs is detected in IIS logs or the file system, administrators should assume their server has been compromised and immediately take it offline.

Further investigations should be conducted to determine if the threat actors spread further to other devices.

This is a developing story and will be updated as new information becomes available.