Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

How a Pwn2Own hack turned into a global attack campaign

byKerem Gülen
July 21, 2025
in Cybersecurity, News

Microsoft has released emergency security updates for two SharePoint zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which have been exploited in “ToolShell” attacks globally.

In May, during the Pwn2Own hacking contest held in Berlin, researchers successfully leveraged a zero-day vulnerability chain, identified as “ToolShell,” to achieve remote code execution within Microsoft SharePoint environments. These initial vulnerabilities were subsequently addressed by Microsoft through their July Patch Tuesday updates. However, threat actors were able to identify two new zero-day vulnerabilities that effectively bypassed the protections implemented in those July patches. These newly discovered flaws have since been utilized to conduct “ToolShell” attacks against SharePoint servers worldwide, impacting more than 54 organizations.

Microsoft has issued emergency out-of-band security updates to mitigate these critical vulnerabilities. These updates specifically target Microsoft SharePoint Subscription Edition and SharePoint 2019, providing fixes for both CVE-2025-53770 and CVE-2025-53771. Microsoft has stated that the update for CVE-2025-53770 offers “more robust protections than the update for CVE-2025-49704,” and similarly, the update for CVE-2025-53771 provides “more robust protections than the update for CVE-2025-49706.” Development of patches for SharePoint 2016 remains ongoing and these updates are not yet available.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.


Microsoft banned China-based engineers from Department of Defense work


SharePoint administrators are advised to install the relevant security updates immediately based on their specific SharePoint version. For Microsoft SharePoint Server 2019, the recommended update is KB5002754. For Microsoft SharePoint Subscription Edition, administrators should install KB5002768. The update for Microsoft SharePoint Enterprise Server 2016 has not been released at this time.

Following the installation of these updates, Microsoft strongly recommends that administrators rotate their SharePoint machine keys. This can be accomplished through two methods. The first method involves manually using PowerShell, specifically by executing the `Update-SPMachineKey` cmdlet. The second method is to manually trigger the Machine Key Rotation timer job via Central Administration. This process involves navigating to the Central Administration site, then to “Monitoring,” and subsequently to “Review job definition.” Administrators should then search for “Machine Key Rotation Job” and select “Run Now.” After the rotation process is complete, IIS must be restarted on all SharePoint servers using `iisreset.exe`.

Administrators are also advised to analyze logs and file systems for any indicators of malicious files or exploitation attempts. Specific indicators include the creation of the file `C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx`. Additionally, administrators should review IIS logs for POST requests directed to `_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with an HTTP referer of `_layouts/SignOut.aspx`. Microsoft has provided a Microsoft 365 Defender query to detect the creation of the `spinstall0.aspx` file:

  • `DeviceFileEvents`
  • `| where FolderPath has “MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS”`
  • `| where FileName =~ “spinstall0.aspx” or FileName has “spinstall0″`
  • `| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256`
  • `| order by Timestamp desc`

If the `spinstall0.aspx` file is detected, a comprehensive investigation of the compromised server and the broader network is recommended to ascertain whether threat actors have expanded their access to other devices.


Featured image credit

Tags: Microsoftsharepoint

Related Posts

Google marks Pac-Man’s 45th anniversary with a Halloween Doodle

Google marks Pac-Man’s 45th anniversary with a Halloween Doodle

October 30, 2025
OpenAI Sora adds character cameos and video stitching

OpenAI Sora adds character cameos and video stitching

October 30, 2025
WhatsApp introduces passkeys for end-to-end encrypted chat backups

WhatsApp introduces passkeys for end-to-end encrypted chat backups

October 30, 2025
Character.AI is closing the door on under-18 users

Character.AI is closing the door on under-18 users

October 30, 2025
Rode upgrades its Wireless Micro Camera Kit with universal compatibility

Rode upgrades its Wireless Micro Camera Kit with universal compatibility

October 30, 2025
YouTube’s new Super Resolution turns blurry uploads into HD and 4K

YouTube’s new Super Resolution turns blurry uploads into HD and 4K

October 30, 2025

LATEST NEWS

Google marks Pac-Man’s 45th anniversary with a Halloween Doodle

OpenAI Sora adds character cameos and video stitching

WhatsApp introduces passkeys for end-to-end encrypted chat backups

Character.AI is closing the door on under-18 users

Rode upgrades its Wireless Micro Camera Kit with universal compatibility

YouTube’s new Super Resolution turns blurry uploads into HD and 4K

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.