Hello and welcome to the Tuesday, July 22nd, 2025 edition of the Sands Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought you by the sands.edu master's degree program in information security engineering.

And of course, well, SharePoint, let's start with that.

Microsoft has some nice updates about this particular problem.

And there are patches available now if you're using the SharePoint Server subscription edition or SharePoint server 2019.

For 2016, at this point, there are no updates available yet, but you are vulnerable.

So assume compromise at this point.

There are plenty of working exploits that have been made public for this particular vulnerability.

Also, don't be too specific in your detection rules on the payload.

Payloads can easily be generated using the dot-net version of WISO serial,

a common tool to exploit deseralsation attacks in dot-net.

There are also now two CVEs at 2025, 53-770, and then 53-771.

The first CVE is for the deserilization vulnerability.

The second CVE, the 71 CVE, is for the authentication bypass problem.

So we are back to two vulnerabilities here, but note, it only takes one request to exploit them all.

In order to exploit this vulnerability, you essentially first set the referrer header

to the sign-out page for the SharePoint instance, and that's, well, the same across

different versions.

And then you basically just include the dot-net desereralization payload as a payload to the post request.

Again, assume compromise when you're patching this vulnerability.

We'll have a bit more guidance and such probably over the next couple days as I'm able to pull a couple more details together.

Just the gut setting up SharePoint server to be able to pull a couple more details together, just the gut setting up SharePoint server

to be able to play with this vulnerability in the patch to see how well it works and if it

...