Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Open XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
See what our SOC sees, review investigations, and see how we are protecting your business.
Seamless integrations and threat investigation across your existing tech stack.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level MDR from eSentire
Next Level MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Stop identity-based cyberattacks.
Detect and respond to zero-day exploits.
Meet regulatory compliance mandates.
Defend third-party and supply chain risk.
End misconfigurations and policy violations.
Adopt a risk-based security approach.
Prevent disruption by outsourcing MDR.
Protect your most sensitive data.
Meet insurability requirements with MDR.
Operationalize cyber threat intelligence.
Build a proven security program.
THE THREATOn August 12th, Fortinet disclosed a critical vulnerability impacting multiple versions of Fortinet FortiSIEM. The flaw, CVE-2025-25256 (CVSS: 9.8), is a remote unauthenticated…
Aug 06, 2025THE THREAT eSentire has observed threat actors actively exploiting Microsoft 365's Direct Send feature to conduct sophisticated phishing campaigns targeting organizations…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
[UPDATE July 22, 2025]
Microsoft has disclosed two critical zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in SharePoint Server that are being actively exploited since July 18th, 2025. These vulnerabilities enable unauthenticated Remote Code Execution (RCE) and represent bypass methods for previously patched flaws (CVE-2025-49704 and CVE-2025-49706), from the July 2025 security updates. The exploitation chain, originally demonstrated as "ToolShell" at Pwn2Own Berlin, has been weaponized by threat actors, resulting in more than 85 compromised SharePoint servers affecting 54 organizations worldwide. Notably impacted entities include federal governments, health organizations, state institutions, energy sector operators, educational institutions, and financial technology companies, according to the security company Eye Security that first identified the attack. Microsoft notes that the vulnerabilities only apply to on-premises SharePoint servers, and do not impact SharePoint Online in Microsoft 365.
To mitigate the risk, Microsoft recommends installing the latest SharePoint security updates, enabling Antimalware Scan Interface (AMSI) integration, and deploying Microsoft Defender for Endpoint or equivalent EDR product on all SharePoint servers. For systems without available patches, administrators are advised to disconnect their SharePoint servers from the Internet. The exploitation involves attackers uploading a malicious file named "spinstall0.aspx" to steal the server's MachineKey configuration, which allows them to execute remote code. CISA has added CVE-2025-53770 to its Known Exploited Vulnerability catalog, giving federal agencies one day to apply patches when released, highlighting the severity of the situation.
Microsoft has released emergency security patches addressing two critical vulnerabilities affecting on-premises SharePoint servers. The primary concern, CVE-2025-53770 (CVSS: 9.8), enables Remote Code Execution through untrusted data deserialization, while CVE-2025-53771 (CVSS: 6.3) represents a path traversal vulnerability allowing network-based spoofing by authorized attackers. These vulnerabilities are particularly significant as they bypass previous security fixes implemented in the July 2025 Patch Tuesday updates. Both the Canadian Centre for Cyber Security (CCCS) and U.S. CISA have issued urgent advisory warnings due to active exploitation in the wild.
The attack methodology demonstrates sophisticated exploitation techniques, beginning with crafted POST requests to "_layouts/15/ToolPane.aspx" with specific HTTP referrer manipulation. Upon successful exploitation, attackers deploy a malicious file ("spinstall0.aspx") and compromise the ASP.NET ViewState mechanism by extracting the server's MachineKey configuration. This enables attackers to generate valid but malicious __VIEWSTATE payloads using tools like ysoserial, potentially leading to full system compromise. Microsoft has released critical updates (KB5002754 for SharePoint Server 2019 and KB5002768 for SharePoint Subscription Edition), though SharePoint 2016 patches remain pending.
This is not the first time ASP.NET machine keys have been targeted by threat actors. In December 2024, the Microsoft Threat Intelligence team identified an attack where an unattributed threat actor was exploiting publicly available ASP.NET machine keys to perform ViewState code injection attacks. The attack involves using exposed ValidationKey and DecryptionKey values to craft malicious ViewState data that can be sent to websites via POST requests. When processed by ASP.NET Runtime, this allows for remote code execution on the target IIS web server. Since then, Microsoft has identified over 3,000 publicly disclosed keys that could be vulnerable to this type of attack.
The ViewState code injection attack exploits ASP.NET's machine key system by leveraging exposed ValidationKey and DecryptionKey values. These keys, normally used for ViewState validation and encryption, can be compromised when developers inadvertently use publicly available keys from code repositories or documentation. Attackers can use these known keys to craft malicious ViewState payloads that, when sent via POST requests, are automatically trusted and processed by the ASP.NET Runtime since they contain valid cryptographic signatures.
Organizations are strongly advised to implement immediate mitigation measures, including applying available patches, implementing network isolation for unpatched systems, enhancing monitoring for suspicious POST requests, and deploying additional security controls such as AMSI integration and EDR. These actions should be prioritized due to SharePoint's critical role in business operations and its common exposure to external networks, making it an attractive target for initial network compromise attempts. Note that while on-premises installations are affected, SharePoint Online in Microsoft 365 remains secure against these vulnerabilities.
Indicators of Compromise (IOCs) | |
107.191.58[.]76 | IP Address |
104.238.159[.]149 | IP Address |
96.9.125[.]147 | IP Address |
103.186.30[.]186 | IP Address |
86.48.9[.]82 | IP Address |
139.199.202[.]205 | IP Address |
185.213.82[.]30 | IP Address |
154.47.29[.]4 | IP Address |
139.144.199[.]41 | IP Address |
89.46.223[.]88 | IP Address |
45.77.155[.]170 | IP Address |
95.179.158[.]42 | IP Address |
149.40.50[.]15 | IP Address |
154.223.19[.]106 | IP Address |
185.197.248[.]131 | IP Address |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 | User-Agent |
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 | User-Agent |
/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx – POST path Referer: /_layouts/SignOut.aspx GET request to malicious ASPX file in /_layouts/15/spinstall0.aspx |
HTTP Requests |
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | SHA256 |
d50a7f142a53a8d2358137e74901e093e19047b66f42216163b91f26460d329b | SHA256 |
8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2 | SHA256 |
27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014 | SHA256 |
b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93 | SHA256 |
4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030 | SHA256 |
FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7 | SHA256 |
B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70 | SHA256 |
390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E | SHA256 |
66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082 | SHA256 |
7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95 | SHA256 |
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx | File Path |
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx | File Path |
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js | File Path |
References:
[1] https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
[2] https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
[3] https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770
[4] https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
[5] https://research.eye.security/sharepoint-under-siege/
[6] https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
[7] https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/
[8] https://nvd.nist.gov/vuln/detail/CVE-2025-53771
[9] https://nvd.nist.gov/vuln/detail/CVE-2025-49704
[10] https://nvd.nist.gov/vuln/detail/CVE-2025-49706
[11] https://github.com/microsoft/mstic/blob/master/RapidReleaseTI/MachineKeys.csv
[12] https://github.com/frohoff/ysoserial
[13] https://x.com/codewhitesec/status/1944743478350557232
[14] https://www.esentire.com/what-we-do/threat-response-unit/threat-intelligence-services
[15] https://github.com/soltanali0/CVE-2025-53770-Exploit
[16] https://github.com/kaizensecurity/CVE-2025-53770
[17] https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/
[18] https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
[19] https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/