Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

How a Pwn2Own hack turned into a global attack campaign

byKerem Gülen
July 21, 2025
in Cybersecurity, News

Microsoft has released emergency security updates for two SharePoint zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which have been exploited in “ToolShell” attacks globally.

In May, during the Pwn2Own hacking contest held in Berlin, researchers successfully leveraged a zero-day vulnerability chain, identified as “ToolShell,” to achieve remote code execution within Microsoft SharePoint environments. These initial vulnerabilities were subsequently addressed by Microsoft through their July Patch Tuesday updates. However, threat actors were able to identify two new zero-day vulnerabilities that effectively bypassed the protections implemented in those July patches. These newly discovered flaws have since been utilized to conduct “ToolShell” attacks against SharePoint servers worldwide, impacting more than 54 organizations.

Microsoft has issued emergency out-of-band security updates to mitigate these critical vulnerabilities. These updates specifically target Microsoft SharePoint Subscription Edition and SharePoint 2019, providing fixes for both CVE-2025-53770 and CVE-2025-53771. Microsoft has stated that the update for CVE-2025-53770 offers “more robust protections than the update for CVE-2025-49704,” and similarly, the update for CVE-2025-53771 provides “more robust protections than the update for CVE-2025-49706.” Development of patches for SharePoint 2016 remains ongoing and these updates are not yet available.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.


Microsoft banned China-based engineers from Department of Defense work


SharePoint administrators are advised to install the relevant security updates immediately based on their specific SharePoint version. For Microsoft SharePoint Server 2019, the recommended update is KB5002754. For Microsoft SharePoint Subscription Edition, administrators should install KB5002768. The update for Microsoft SharePoint Enterprise Server 2016 has not been released at this time.

Following the installation of these updates, Microsoft strongly recommends that administrators rotate their SharePoint machine keys. This can be accomplished through two methods. The first method involves manually using PowerShell, specifically by executing the `Update-SPMachineKey` cmdlet. The second method is to manually trigger the Machine Key Rotation timer job via Central Administration. This process involves navigating to the Central Administration site, then to “Monitoring,” and subsequently to “Review job definition.” Administrators should then search for “Machine Key Rotation Job” and select “Run Now.” After the rotation process is complete, IIS must be restarted on all SharePoint servers using `iisreset.exe`.

Administrators are also advised to analyze logs and file systems for any indicators of malicious files or exploitation attempts. Specific indicators include the creation of the file `C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx`. Additionally, administrators should review IIS logs for POST requests directed to `_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with an HTTP referer of `_layouts/SignOut.aspx`. Microsoft has provided a Microsoft 365 Defender query to detect the creation of the `spinstall0.aspx` file:

  • `DeviceFileEvents`
  • `| where FolderPath has “MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS”`
  • `| where FileName =~ “spinstall0.aspx” or FileName has “spinstall0″`
  • `| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256`
  • `| order by Timestamp desc`

If the `spinstall0.aspx` file is detected, a comprehensive investigation of the compromised server and the broader network is recommended to ascertain whether threat actors have expanded their access to other devices.


Featured image credit

Tags: Microsoftsharepoint

Related Posts

AT&T launches nationwide 5G Standalone network

AT&T launches nationwide 5G Standalone network

October 9, 2025
EU announces its new AI plan with a €1B budget

EU announces its new AI plan with a €1B budget

October 9, 2025
Google just accidentally revealed a new Docs AI feature for Android

Google just accidentally revealed a new Docs AI feature for Android

October 9, 2025
Sora’s invite-only launch was almost as big as ChatGPT’s public one

Sora’s invite-only launch was almost as big as ChatGPT’s public one

October 9, 2025
That ultra-rugged Nokia phone is reportedly making a modern comeback

That ultra-rugged Nokia phone is reportedly making a modern comeback

October 9, 2025
New WhatsApp interface is appearing for a select few on iOS

New WhatsApp interface is appearing for a select few on iOS

October 9, 2025

LATEST NEWS

AT&T launches nationwide 5G Standalone network

EU announces its new AI plan with a €1B budget

Google just accidentally revealed a new Docs AI feature for Android

Sora’s invite-only launch was almost as big as ChatGPT’s public one

That ultra-rugged Nokia phone is reportedly making a modern comeback

New WhatsApp interface is appearing for a select few on iOS

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.