SharePoint is a widely used collaboration platform, and this vulnerability targets core components in the SharePoint web interface. As of July 21, emergency patches have been released for SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. If your environment includes on-prem SharePoint servers, you should treat this vulnerability as a priority.

What Is CVE-2025-53770?

CVE-2025-53770 is a remote code execution (RCE) vulnerability in Microsoft SharePoint Server. It allows attackers to send specially crafted HTTP POST requests to vulnerable endpoints like ToolPane.aspx, which is normally used to manage web part settings. By exploiting weaknesses in how SharePoint parses ViewState data and session tokens, attackers can execute arbitrary code on the server.

This exploit does not require prior authentication. A successful attack gives the adversary the ability to upload files, run PowerShell commands, steal cryptographic secrets, or establish persistent access to the server.

In many observed cases, the attackers drop a malicious web shell called spinstall0.aspx inside SharePoint’s \LAYOUTS\ directory. This shell is then used to steal the server’s machine keys – the cryptographic values that secure cookies, authentication tokens, and ViewState.

What Can an Attacker Do?

Once CVE-2025-53770 is exploited successfully, an attacker can:

• Upload a web shell to the SharePoint server
• Steal ASP.NET machine keys used for signing and decrypting ViewState and authentication tokens
• Execute arbitrary code as the SharePoint worker process (w3wp.exe)
• Bypass authentication mechanisms using forged ViewState data
• Persist access even after the web shell is removed, by reusing stolen machine keys
• Move laterally to other systems in the environment

Because this vulnerability can be exploited without user interaction, it is particularly dangerous in environments with internet-facing SharePoint servers.

Mitigations

1. Apply the Official Microsoft Patch

Microsoft has released out-of-band patches for the following editions:

• SharePoint Subscription Edition – KB5002768
• SharePoint Server 2019 – KB5002754
• SharePoint Server 2016 – KB5002745

You should install the patch immediately, even if you have already applied earlier July updates. The new patch contains stronger protections and also includes previous fixes like CVE-2025-49704 and CVE-2025-49706.

2. Rotate ASP.NET Machine Keys

After applying the patch, it is essential to rotate the machine keys found in SharePoint’s web.config files. These are typically located under:

C:\inetpub\wwwroot\wss\VirtualDirectories\[port]\web.config

Generate new validationKey and decryptionKey values, update the config, and restart IIS:

iisreset

This step ensures that any stolen keys can no longer be used to forge tokens or ViewState data.

3. Enable AMSI and Defender Antivirus

Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration for SharePoint and running Microsoft Defender Antivirus in active mode. These tools help detect and block ViewState payloads and other malicious scripts.

Indicators and Threat Hunting

If you suspect compromise or want to validate that no exploitation occurred, look for the following indicators of compromise (IOCs).

Network Requests

Look for POST requests to:

• /_layouts/15/ToolPane.aspx?DisplayMode=Edit

Known IPs

• 107.191.58[.]76
• 104.238.159[.]149
• 96.9.125[.]147

File Artifacts

• Presence of spinstall0.aspx under:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\

• Any newly created .aspx files in the \LAYOUTS\ directory

IIS Log Patterns

• POST requests to /sites/*/_layouts/15/ToolPane.aspx
• Suspicious Referer headers like /sites/*/_layouts/SignOut.aspx
• GET requests to spinstall0.aspx with long Base64 parameters

Process Tree Anomalies

· w3wp.exe spawning powershell.exe, cmd.exe, or unusual child processes

Conclusion

CVE-2025-53770 is a serious and actively exploited vulnerability that affects all modern on-prem SharePoint deployments. Even if your servers are not publicly accessible, an attacker with internal access could exploit this flaw to gain full control.

Apply the latest patches from Microsoft, rotate your machine keys, and carefully review your logs for signs of compromise. If you detect any suspicious activity, consider isolating affected systems and initiating a full incident response. Consult your security provider for further information on incident response.

The CyberMaxx team are continuing to monitor for changes and will provide further information as it becomes available.

Further Reading

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

The post CVE-2025-53770: SharePoint “ToolShell” Zero-Day Exploit – What You Need to Know appeared first on CyberMaxx.

ORIGINALLY POSTED 12/4/24: 9:15 AM ET

The Solana NPM package has been compromised.

GitHub have published a malware notice under their Advisory Database to inform users of this compromise. How long this package has been compromised for is still unknown, and current impact is still to be assessed. However, due to the popularity of this package it is likely that the impact will be high.

Treat any systems that use this package as fully compromised. All secrets, keys and sensitive information should be considered as such and rotated immediately.

According to security researcher Christophe Tafani-Dereeper on BlueSky: “The backdoor inserted in v1.95.7 adds an “addToQueue” function which exfiltrates the private key through seemingly-legitimate CloudFlare headers. Calls to this function are then inserted in various places that (legitimately) access the private key.” 

Steven Luscher, one of the maintainers for the project said in the newest release notes “a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.” as the source of the compromise. 

It is currently recommended to update to version 1.95.8 and rotate keys as a precautionary measure. 

Source: 

https://github.com/advisories/GHSA-fhm6-mqmw-2cf5  

https://bsky.app/profile/did:plc:zwlpsxw2udovqf4mbfi4ibqf/post/3lcgt6l7s4c2a 

https://github.com/solana-labs/solana-web3.js/releases/tag/v1.95.8 

The post Solana NPM package has been compromised appeared first on CyberMaxx.

CVE-2024-20353 – https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

CVE-2024-20359 – https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

Based on the advisories there is no workaround available for either vulnerabilities mentioned above at this point. Cisco has released patches for both the above-mentioned vulnerabilities. Update to the latest version ASAP to prevent potential disruption.

Our threat hunting team has been informed and is actively investigating for signs of compromise of this threat. The CyberMaxx team is continuing to monitor this situation and is working to keep your network safe.

The post High Severity Cisco ASA and Cisco FTD Firewalls Vulnerabilities appeared first on CyberMaxx.

A command injection vulnerability enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall, and has been assigned CVE-2024-3400. This issue is fixed in hotfix releases PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS versions. Hotfixes for other versions can be found from the Palo Alto advisory link below. Customers with a Threat Prevention subscription can block this by enabling THREAD ID 95187, and applying Vulnerability Protection to GlobalProtect interfaces.

• Further reading: https://nvd.nist.gov/vuln/detail/CVE-2024-3400
• Palo Alto advisory: https://security.paloaltonetworks.com/CVE-2024-3400
• Applying vulnerability protection: https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184

This activity has currently been attributed to a single threat actor, however with the vulnerability being publicly announced it is likely that other groups will capitalize on organizations that are slow to patch. We recommend patching these devices is made a priority,

Our threat hunting team has been informed and is actively investigating for signs of compromise of this threat. The CyberMaxx team is continuing to monitor this situation and is working to keep your network safe.

The post Threat Alert affecting Palo Alto appeared first on CyberMaxx.

What It Is

December 13th, the U.S Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog that impacts Veeam Backup & Replication software. Both critical flaws tracked as CVE-2022-26500 and CVE-2022-26501 rank as a 9.8 on the CVSS scoring system.

CISA cites that there is no evidence of active exploitation in the wild but patches are already available. The vulnerability allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to the uploading and executing of malicious code.

Why This is Important

Although details on the exploitation attacks aren’t available yet, possible consequences could include ransomware, data theft, and DDoS.

Veeam noted the affected software is used by 70% of Fortune 2000 companies.

These events provide yet another opportunity for organizations small and large to understand the importance of upgrading to supported system versions as soon as they become available.

What Needs to Be Done

At CyberMaxx we urge the precautions that Veeam and CISA have issued.

Updating/patching the product is recommended. Veeam logs data to the Windows Event Viewer by default and can send that data to SIEMs – customers/users should ensure Veeam devices are logging into a SIEM for review of suspicious logins, processes, services, etc.

The post Zero Day Notice: Veeam Backup & Replication Vulnerabilities appeared first on CyberMaxx.

Applications hosted in AWS pose a heightened risk when SSRF is present, as the instance metadata can be accessed, and in some cases, contains privileged API keys. SSRF vulnerabilities can lead to a full AWS account take-over and have been the case on several of CyberMaxx’s recent penetration tests including “serverless” application deployments.

This blog post describes step-by-step how to use Netflix’s lightweight aws-metadata-proxy to protect AWS metadata even when SSRF vulnerabilities are present. We will demonstrate the effectiveness of aws-metadata-proxy using a real SSRF zero-day CyberMaxx recently discovered.

Overview

CyberMaxx discovered that Hawtio <= 4.6.8 contains a proxy servlet that makes a request to any server appended onto the /proxy/ object. Our Hawtio advisory can be found here.

By accessing http://hawtio-server/proxy/http://169.254.169.254/latest/meta-data/identity-credentials, it was possible to pull the EC2 IAM instance API tokens. The API tokens were then configured in the AWS CLI and used to enumerate IAM permissions. IAM policies are tedious to write, and in many cases are overly permissive allowing access to arbitrary resources in AWS.

The lab environment is quite simple for this demonstration. There is an EC2 instance hosting a vulnerable version of Hawtio. This first part of the post will briefly show some of what an attacker can achieve through SSRF in a cloud environment. Following this we will install aws-metadata-proxy which will prevent the SSRF 0day.

Stealing AWS Keys Through SSRF

Accessing the metadata service is a goal when attacking applications hosted in AWS as it can turn a text-book web application vulnerability into an AWS account compromise.

The example below demonstrates obtaining the AWS keys through the Hawtio SSRF zero-day.

To make use of the AWS access key returned above, we populate the AWS CLI credentials file as shown below.

The AWS CLI will use this credentials file to authenticate with AWS. With this setup, we can enumerate the IAM permissions and, in turn, the AWS account and resources it contains.

Depending on specific IAM permissions, an attacker could very well have the keys to the AWS kingdom at this point, or at least have an opportunity to escalate IAM privileges.

Installing Netflix’s AWS-METADATA-PROXY

aws-metadata-proxy is a clever program developed by Netflix-Skunkworks. iptables is used to block all connections to the AWS metadata IP (169.254.169.254) unless they originate from a designated user which owns the aws-metadata-proxy process. All other requests to the metadata service are delivered to the aws-metadata-proxy service. aws-metadata-proxy checks the requests’ UserAgent which an attacker wouldn’t typically have control over in an SSRF scenario. Generally, this prevents IAM credential access even through zero-day SSRF vulnerabilities like Hawtio. The commands below were run on an Ubuntu instance in our demo environment, but aws-metadata-proxy will work on other distributions as well.

GOLANG Prerequisites

With golang installed and configured correctly, we can simply clone the aws-metadata-proxy repo.

Now Build The Go Application

With the binary built (listed above as aws-metadata-proxy), it can be moved anywhere convenient such as /usr/local/bin.

Before applying the iptables rule, a local user account was created, awsproxy, for the purpose of running the aws-metadata-proxy binary.

After the user account is created, we can simply add the following iptables rule. Be sure to change the uuid-owner to the user used to run the aws-metadata-proxy binary – in our case it’s awsproxy.

The command shown below can be used to verify the NAT rule was properly added.

Now it’s time to run the aws-metadata-proxy app from the awsproxy account.

aws-metadata-proxy should now show listening on 127.0.0.1:9090.

aws-metadata-proxy is up and running. Time to test the Hawtio SSRF zero-day.

Success! The Hawtio SSRF can no longer be used to access the AWS metadata service, as indicated by the “401 – Unauthorized” response.

Conclusion

Netflix’s open-source aws-metadata-proxy provides free, simple, and lightweight metadata protection from SSRF exploitation. SSRF is still a problem for other internal resources and needs to be patched, but aws-metadata-proxy helps protect AWS metadata service in the meantime.

The post Protecting AWS Metadata From Zero-Day SSRF Attacks appeared first on CyberMaxx.