heise PlusAbo
Anzeige

Gaps in Microsoft SharePoint: Zero days that may not have been zero days at all

The attacks on SharePoint servers exploited known vulnerabilities for which patches were already available. It remains to be seen whether these would've helped.

listen Print view
Finger points to Sharepoint lettering

(Image: Ascannio/Shutterstock.com)

5 min. read
Security
By
Contents

The attacks on Sharepoint reported as zero-day attacks may not have been real zero-days at all. Rather, they were directed against already known vulnerabilities for which Microsoft had previously released a patch on July 8. However, it remains to be seen whether installing the patch would have protected against the attacks.

But first things first: On the monthly patch day, July 8, Microsoft released patches for two gaps in on-premises installations of MS Sharepoint, which were intended to close the gaps CVE-2025-49706 + CVE-2025-49704. On July 19, Microsoft announced active attacks on SharePoint under the heading “Customer Notes on SharePoint Vulnerability CVE-2025-53770”, against which the new patches against vulnerabilities with the identifiers CVE-2025-53770 and CVE-2025-53771 were then published a little later. From then on, everyone, including heise online, assumed that there were zero-day attacks against the new 53770* vulnerabilities.

Inadequate patches

Now it turns out that the attacks from July 17th were directed against the patchday vulnerabilities CVE-2025-49706 and CVE-2025-49704, as eye Security admits. However, closer examination of the Patchday updates revealed that Microsoft's security patches were very poorly done and could be trivially circumvented. For example, Kaspersky demonstrated that the patch against CVE-2025-49706 could be bypassed by simply inserting a / into a URL.

This is how easy it was to bypass Microsoft's patch: the additional "/" triggered the CVE-2025-49706 error again despite the patch

(Image: Kaspersky)

At no point does Microsoft say that only unpatched systems would have fallen victim to the attacks. The company itself even admits: “Microsoft is aware of active attacks that exploit [...] vulnerabilities that were partially fixed by the July security update.” (Emphasis added by the editors). It is therefore possible, based on current knowledge, that the attacks were directed against the 4970* vulnerabilities, but already contained something like the additional / to render the patches ineffective.

New patches after attacks

In any case, Microsoft pushed out improved updates from July 20 that close the gaps more effectively. Instead of filtering malicious URLs, which is easy to circumvent, the patch CVE-2025-53770 now works with white lists of permitted URLs. The patch apparently closes the gaps CVE-2025-49706 and CVE-2025-53771, although it is still unclear exactly what CVE-2025-53771 is all about. Microsoft only provides very vague vulnerability descriptions. The same applies to CVE-2025-53770.

If the waves of attacks from July 17 also worked against systems on the current patch level, these would still have been zero-day attacks. This is because the affected Microsoft customers had no chance of protecting themselves effectively. This difference also has practical significance beyond the quibbling over words: in this case, all Microsoft customers would have to assume that their server may have been compromised, even if the available patches had already been applied. And this has massive consequences for the measures to be taken.

The most important things in a nutshell

Anyone who has now lost track of the many CVEs and updates and no longer knows what's going on is in good company. The whole thing is a terrible jumble of bits and pieces of information, from which even we were unable to put together a coherent overall picture after hours of discussion. So here is a summary of the important facts for defenders and what needs to be done:

Microsoft's Sharepoint had several critical vulnerabilities that allowed the on-premises server to be compromised. To protect against this, admins should install the patches against CVE-2025-53770 and CVE-2025-53771, which reliably close all known vulnerabilities. They should also implement the preventive measures described by Microsoft and, in particular, recreate the IIS MachineKey. Otherwise, attackers could still gain access to their server because they have already stolen the old one before applying the patch.

Videos by heise

It would also be extremely helpful if Microsoft could bring itself to provide more clarity. This would include clear statements on the following open points:

  • Were there successful attacks against systems that had received the patchday updates in a timely manner?
  • What exactly are the vulnerabilities behind the respective CVEs? Preferably with specific references to the vulnerable code.
  • Why does Microsoft deliver patches for critical vulnerabilities after a lead time of almost two months, which can be trivially circumvented?

(ju)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten