The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States.

The pace of Storm-1175’s campaigns is enabled by the threat actor’s consistent use of recently disclosed vulnerabilities to obtain initial access. While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure. The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity. After initial access, Storm-1175 establishes persistence by creating new user accounts, deploys various tools including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment.

In this blog post, we delve into the attack techniques attributed to Storm-1175 over several years. While Storm-1175’s methodology aligns with the tactics, techniques, and procedures (TTPs) of many tracked ransomware actors, analysis of their post-compromise tactics provides essential insights into how organizations can harden and defend against attackers like Storm-1175, informing opportunities to disrupt attackers even if they have gained initial access to a network.

Storm-1175’s rapid attack chain: From initial access to impact

Exploitation of vulnerable web-facing assets

Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access. Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including:

• CVE-2023-21529 (Microsoft Exchange)
• CVE-2023-27351 and CVE-2023-27350 (Papercut)
• CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
• CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect)
• CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
• CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
• CVE‑2025‑31161 (CrushFTP)
• CVE-2025-10035 (GoAnywhere MFT)
• CVE-2025-52691 and CVE-2026-23760 (SmarterMail)
• CVE-2026-1731 (BeyondTrust)

Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected. In some cases, Storm-1175 has weaponized exploits for disclosed vulnerabilities in as little as one day, as was the case for CVE-2025-31324 impacting SAP NetWeaver: the security issue was disclosed on April 24, 2025, and we observed Storm-1175 exploitation soon after on April 25.

In multiple intrusions, Storm-1175 has chained together exploits to enable post-compromise activities like remote code execution (RCE). For example, in July 2023, Storm-1175 exploited two vulnerabilities affecting on-premises Microsoft Exchange Servers, dubbed “OWASSRF” by public researchers: exploitation of CVE‑2022‑41080 provided initial access by exposing Exchange PowerShell via Outlook Web Access (OWA), and Storm-1175 subsequently exploited CVE‑2022‑41082 to achieve remote code execution.

Storm-1175 has also demonstrated a capability for targeting Linux systems as well: in late 2024, Microsoft Threat Intelligence identified the exploitation of vulnerable Oracle WebLogic instances across multiple organizations, though we were unable to identify the exact vulnerability being exploited in these attacks.

Finally, we have also observed the use of at least three zero-day vulnerabilities including, most recently, CVE-2026-23760 in SmarterMail, which was exploited by Storm-1175 the week prior to public disclosure, and CVE-2025-10035 in GoAnywhere Managed File Transfer, also exploited one week before public disclosure. While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw; these factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities. Regardless, as attackers increasingly become more adept at identifying new vulnerabilities, understanding your digital footprint—such as through the use of public scanning interfaces like Microsoft Defender External Attack Surface Management—is essential to defending against perimeter network attacks.

Covert persistence and lateral movement

During exploitation, Storm-1175 typically creates a web shell or drops a remote access payload to establish their initial hold in the environment. From this point, Microsoft Threat Intelligence has observed Storm-1175 moving from initial access to ransomware deployment in as little as one day, though many of the actor’s attacks have occurred over a period of five to six days.

On the initially compromised device, the threat actor often establishes persistence by creating a new user and adding that user to the administrators group:

From this account, Storm-1175 begins their reconnaissance and lateral movement activity. Storm-1175 has a rotation of tools to accomplish these subsequent attack stages. Most commonly, we observe the use of living-off-the-land binaries (LOLBins), including PowerShell and PsExec, followed by the use of Cloudflare tunnels (renamed to mimic legitimate binaries like conhost.exe) to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices. If RDP is not allowed in the environment, Storm-1175 has been observed using administrator privileges to modify the Windows Firewall policy to enable Remote Desktop.

Storm-1175 has also demonstrated a heavy reliance on remote monitoring and management (RMM) tools during post-compromise activity. Since 2023, Storm-1175 has used multiple RMMs, including:

• Atera RMM
• Level RMM
• N-able
• DWAgent
• MeshAgent
• ConnectWise ScreenConnect
• AnyDesk
• SimpleHelp

While often used by enterprise IT teams, these RMM tools have multi-pronged functionality that could also allow adversaries to maintain persistence in a compromised network, create new user accounts, enable an alternative command-and-control (C2) method, deliver additional payloads, or use as an interactive remote desktop session.

In many attacks, Storm-1175 relies on PDQ Deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network.

Additionally, Storm-1175 has leveraged Impacket for lateral movement. Impacket is a collection of open-source Python classes designed for working with network protocols, and it is popular with adversaries due to ease of use and wide range of capabilities. Microsoft Defender for Endpoint has a dedicated attack surface reduction rule to defend against lateral movement techniques used by Impacket: Block process creations originating from PSExec and WMI commands); protecting lateral movement pathways can also mitigate Impacket.

Credential theft

Impacket is further used to facilitate credential dumping through LSASS; the threat actor also leveraged the commodity credential theft tool Mimikatz in identified intrusions in 2025. Additionally, Storm-1175 has relied on known living-off-the-land techniques for stealing credentials, such as by modifying the registry entry UseLogonCredential to turn on WDigest credential caching, or using Task Manager to dump LSASS credentials; for both of these attack techniques, the threat actor must obtain local administrative privileges to modify these resources. The attack surface reduction rule block credential stealing from LSASS can limit the effectiveness of this type of attack, and—more broadly—limiting the use of local administrator rights by end users. Ensuring that local administrator passwords are not shared through the environment can also reduce the risk of these LSASS dumping techniques.

We have also observed that after gaining administrator credentials, Storm-1175 has used a script to recover passwords from Veeam backup software, which is used to connect to remote hosts, therefore enabling ransomware deployment to additional connected systems.

With sufficient privileges, Storm-1175 can then use tools like PsExec to pivot to a Domain Controller, where they have accessed the NTDS.dit dump, a copy of the Active Directory database which contains user data and passwords that can be cracked offline. This privileged position has also granted Storm-1175 access to the security account manager (SAM), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale.

Security tampering for ransomware delivery

Storm-1175 modifies the Microsoft Defender Antivirus settings stored in the registry to tamper with the antivirus software and prevent it from blocking ransomware payloads; in order to accomplish this, an attacker must have access to highly privileged accounts that can modify the registry directly. For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access.

Storm-1175 has also used encoded PowerShell commands to add the C:\ drive to the antivirus exclusion path, preventing the security solution from scanning the drive and allowing payloads to run without any alerts. Defenders can harden against these tampering techniques by combining tamper protection with the DisableLocalAdminMerge setting, which prevents attackers from using local administrator privileges to set antivirus exclusions.

Data exfiltration and ransomware deployment

Like other ransomware as a service (RaaS) offerings, Medusa offers a leak site to facilitate double extortion operations for its affiliates: attackers not only encrypt data, but steal the data and hold it for ransom, threatening to leak the files publicly if a ransom is not paid. To that aim, Storm-1175 often uses Bandizip to collect files and Rclone for data exfiltration. Data synchronization tools like Rclone allow threat actors to easily transfer large volumes of data to a remote attacker-owned cloud resource. These tools also provide data synchronization capabilities, moving newly created or updated files to cloud resources in real-time to enable continuous exfiltration throughout all stages of the attack without needing attacker interaction.

Finally, having gained sufficient access throughout the network, Storm-1175 frequently leverages PDQ Deployer to launch a script (RunFileCopy.cmd) and deliver Medusa ransomware payloads. In some cases, Storm-1175 has alternatively used highly privileged access to create a Group Policy update to broadly deploy ransomware.

Mitigation and protection guidance

To defend against Storm-1175 TTPs and similar activity, Microsoft recommends the following mitigation measures:

• Use a perimeter scanning tool like Microsoft Defender External Attack Surface Management to understand your organization’s digital footprint and potential attack surface. Targeting web-facing vulnerabilities continues to be one of the most effective attack methods for initial access.
• Ensure any web-facing systems are isolated from the public internet with a secure network boundary and access them with a virtual private network (VPN). If certain servers must be accessible on the public internet, position them behind a web application firewall (WAF), reverse proxy, or perimeter network (also known as a DMZ), which can reduce the risk of vulnerability exploitation in some cases.
• Follow the defending against ransomware guidance in Microsoft’s ransomware as a service blog post, which details how to build credential hygiene as well as how to limit lateral movement using the principle of least privilege.
• Implement Credential Guard, a critical security feature that protects credentials stored in process memory  – in the LSA process lsass.exe. Credential Guard is turned on by default in Windows 11. However, if Credential Guard was previously disabled on a device, updating a device to Windows 11 does not override that setting, and Credential Guard will need to be re-enabled. Additionally, Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised. Credential Guard can be enabled using Group Policy, the registry, or Microsoft Intune.
• Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without tamper protection, attackers could simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.
  • Customers running Intune or Microsoft Defender for Endpoint Security Configuration can enable DisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO.  
  • In addition to tamper protection, you can also enable and configure Microsoft Defender Antivirus always-on protection in Group Policy. 
  • If there is an issue with a device during roll out of various antivirus features, the device can be placed in Troubleshooting mode to turn off Tamper Protection temporarily without impacting the wider organizational security policy. 
• For approved RMM systems used in your environment, enforce security settings where possible to implement MFA. If an unapproved RMM installation is discovered in your network, reset passwords for accounts used to install the RMM services. If a System-level account was used to install the software, further investigation may be warranted.
• Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
• Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block execution of potentially obfuscated scripts
  • Block Webshell creation for Servers
  • Block process creations originating from PSExec and WMI commands (Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.)
  • Block execution of potentially obfuscated scripts
  • Block use of copied or impersonated system tools
  • Use advanced protection against ransomware

Microsoft Defender detections

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Actor profile: Storm-1175
• Tool profile: Medusa ransomware
• Threat overview profile: Human-operated ransomware  

Indicators of compromise

The following indicators are gathered from identified Storm-1175 attacks during 2026.

References

• Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass)
• OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations appeared first on Microsoft Security Blog.

Exploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, we also observed real-world exploitation attempts by threat actors delivering multiple subsequent payloads, majority of which are coin miners. Both Windows and Linux environments have been observed to be impacted.

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution.

This vulnerability presents a significant risk because of the following factors:

• Default configurations are vulnerable, requiring no special setup or developer error.
• Public proof-of-concept exploits are readily available with near-100% reliability.
• Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.
• The vulnerability could be exploited using a single malicious HTTP request.

In this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, detection insights, as well as mitigation recommendations and hunting guidance are covered in the next sections. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.

Analyzing CVE-2025-55182 exploitation activity

React is widely adopted in enterprise environments. In Microsoft Defender telemetry, we see tens of thousands of distinct devices across several thousand organizations running some React or React-based applications. Some of the vulnerable applications are deployed inside containers, and the impact on the underlying host is dependent on the security configurations of the container.

We identified several hundred machines across a diverse set of organizations compromised using common tactics, techniques, and procedures (TTPs) observed with web application RCE. To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request. This input is then processed as a serialized object and passed to the backend server, where it is deserialized. Due to the default trust among the components, the attacker-provided input is then deserialized and the backend runs attacker-provided code under the NodeJS runtime.

Post-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers. To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent, modified authorized_keys file, and enabled root login. To evade security defenses, the attackers downloaded from attacker-controlled CloudFlare Tunnel endpoints (for example, *.trycloudflare.com) and used bind mounts to hide malicious processes and artifacts from system monitoring tools.

The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. The attacks proceeded by enumerating system details and environment variables to enable lateral movement and credential theft.

Credentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets. Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.

Mitigation and protection guidance

Microsoft recommends customers to act on these mitigation recommendations:

Manual identification guidance

Until full in-product coverage is available, you can manually assess exposure on servers or containers:

1. Navigate to your project directory and open the node_modules folder.
2. Review installed packages and look for:
   • react-server-dom-webpack
   • react-server-dom-parcel
   • react-server-dom-turbopack
   • next
3. Validate versions against the known affected range:
   • React: 19.0.0,19.1.0, 19.1.1, 19.2.0
   • Next.js: 15.0.0 – 15.0.4, 15.1.0 – 15.1.8, 15.2.0 – 15.2.5, 15.3.0 – 15.3.5, 15.4.0 – 15.4.7, 15.5.0 – 15.5.6, 16.0.0 – 16.0.6, 14.3.0-canary.77 and later canary releases
4. If any of these packages match the affected versions, remediation is required. Prioritize internet-facing assets first, especially those identified by Defender as externally exposed.

Mitigation best practices

1. Patch immediately
   • React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line):
     • React: 19.0.1, 19.1.2, 19.2.1
     • Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
   • Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies.
2. Prioritize exposed services
   • Patch all affected systems, starting with internet-facing workloads.
   • Use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and to track remediation progress across your estate.
3. Monitor for exploit activity
   • Review MDVM dashboards and Defender alerts for indicators of attempted exploitation.
   • Correlate endpoint, container, and cloud signals for higher confidence triage.
   • Invoke incident response process to address any related suspicious activity stemming from this vulnerability.
4. Add WAF protections where appropriate
   • Apply Azure Web Application Firewall (WAF) custom rules for Application Gateway and Application Gateway for Containers to help block exploit patterns while patching is in progress. Microsoft has published rule guidance and JSON examples in the Azure Network Security Blog, with ongoing updates as new attack permutations are identified.

Recommended customer action checklist

• Identify affected React Server Components packages in your applications and images.
• Upgrade to patched versions. Refer to the React page for patching guidance.
• Prioritize internet-facing services for emergency change windows.
• Enable and monitor Defender alerts tied to React Server Components exploitation attempts.
• Apply Azure WAF custom rules as a compensating control where feasible.
• Use MDVM to validate coverage and confirm risk reduction post-update.

CVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy.

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

In many cases subsequent activity post exploitation was detected and following alerts were triggered on the victim devices. Note that the following alerts below can also be triggered by unrelated threat activity.

Automatic attack disruption through Microsoft Defender for Endpoint alerts

To better support customers in the event of exploitation, we are expanding our detection framework to identify and alert on CVE-2025-55182 activity across all operating systems for Microsoft Defender for Endpoint customers. These detections are integrated with automatic attack disruption.

When these alerts, combined with other signals, provide high confidence of active attacker behavior, automatic attack disruption can initiate autonomous containment actions to help stop the attack and prevent further progression.

Microsoft Defender Vulnerability Management and Microsoft Defender for Cloud

Microsoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs). Follow the documentation on how to enable agentless scanning:

• Protect your servers with Defender for Servers
• Defender for Containers Deployment Overview

Microsoft Defender Vulnerability Management (MDVM) can surface impacted Windows, Linux, and macOS devices. In addition, MDVM and Microsoft Defender for Cloud dashboards can surface:

• Identification of exposed assets in the organization
• Clear remediation guidance tied to your affected assets and workloads

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Vulnerability Profile: CVE-2025-55182 – React Server Components

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries and recommendations

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Detect potential React2Shell command injection attempt

CloudAuditEvents
| where (ProcessCommandLine == "/bin/sh -c (whoami)" and (ParentProcessName == "node" or ParentProcessName has "next-server"))
        or (ProcessCommandLine has_any ("echo","powershell") and ProcessCommandLine matches regex @'(echo\s+\$\(\(\d+\*\d+\)\)|powershell\s+-c\s+"\d+\*\d+")')
| project Timestamp, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, FileName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Identify encoded PowerShell attempts

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessParentFileName has "node"
| where InitiatingProcessCommandLine  has_any ("next start", "next-server") or ProcessCommandLine  has_any ("next start", "next-server")
| summarize  make_set(InitiatingProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, Timestamp
//looking for powershell activity
| where set_ProcessCommandLine  has_any ("cmd.exe","powershell")
| extend decoded_powershell_1 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"EncodedCommand ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_1b = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"Enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_2 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_3 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"ec ",1).[0]),'"',0).[0]))),"\0","")
| where set_ProcessCommandLine !has "'powershell -c " 
| extend decoded_powershell = iff( isnotempty( decoded_powershell_1),decoded_powershell_1, 
                                                    iff(isnotempty( decoded_powershell_2), decoded_powershell_2,
                                                        iff(isnotempty( decoded_powershell_3), decoded_powershell_3,decoded_powershell_1b)))
| project-away decoded_powershell_1, decoded_powershell_1b, decoded_powershell_2,decoded_powershell_3
| where isnotempty( decoded_powershell)

Identify execution of suspicious commands initiated by the next-server parent process post-exploitation

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName =~ "node.exe" and InitiatingProcessCommandLine has ".js"
| where FileName =~ "cmd.exe"
| where (ProcessCommandLine has_any (@"\next\", @"\npm\npm\node_modules\", "\\server.js")
    and (ProcessCommandLine has_any ("powershell -c \"", "curl", "wget", "echo $", "ipconfig", "start msiexec", "whoami", "systeminfo", "$env:USERPROFILE", "net user", "net group", "localgroup administrators",  "-ssh", "set-MpPreference", "add-MpPreference", "rundll32", "certutil", "regsvr32", "bitsadmin", "mshta", "msbuild")   
         or (ProcessCommandLine has "powershell" and
             (ProcessCommandLine has_any ("Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String", "Start-Process", "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "iwr ", ".UploadFile", "System.Net.WebClient")
                or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))))
   or ProcessCommandLine matches regex @'cmd\.exe\s+/d\s+/s\s+/c\s+"powershell\s+-c\s+"[0-9]+\*[0-9]+""'

Identify execution of suspicious commands initiated by the next-server parent process post-exploitation

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName == "node"
| where InitiatingProcessCommandLine has_any (" server.js", " start", "/server.js")
| where ProcessCommandLine  has_any ("| sh", "openssl,", "/dev/tcp/", "| bash", "|sh", "|bash", "bash,", "{sh,}", "SOCK_STREAM", "bash -i", "whoami", "| base64 -d", "chmod +x /tmp", "chmod 777")
| where ProcessCommandLine !contains "vscode" and ProcessCommandLine !contains "/.claude/"  and ProcessCommandLine !contains "/claude"

Microsoft Defender XDR’s blast radius analysis capability, incorporated into the incident investigation view, allows security teams to visualize and understand the business impact of a security compromise by showing potential propagation paths towards the organization’s critical assets before it escalates into a full blown incident. This capability merges pre-breach estate understanding with post-breach views allowing security teams to map their interconnected assets and highlights potential paths teams can prioritize for remediation efforts based on the criticality of assets and their interconnectivity to the compromised entities.

Microsoft Defender for Cloud

Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines. Template titled Internet exposed containers running container images vulnerable to React2Shell vulnerability CVE-2025-55182 and Internet exposed virtual machines vulnerable to React2Shell vulnerability CVE-2025-55182 are added to the gallery.

Microsoft Security Exposure Management

Microsoft Security Exposure Management’s automated attack path analysis maps out potential threats by identifying exposed resources and tracing the routes an attacker might take to compromise critical assets. This analysis highlights vulnerable cloud compute resources, such as virtual machines and Kubernetes containers, that are susceptible to remote code execution vulnerabilities, including React2Shell CVEs. It also outlines possible lateral movement steps an adversary might take within the environment. The attack paths are presented for all supported cloud environments, including Azure, AWS, and GCP.

To view these paths, filter the view in Microsoft Security Exposure Management, filter by entry point type:

• Kubernetes container
• Virtual Machine
• AWS EC2 instance
• GCP compute instance.

Alternatively, in Microsoft Defender for Cloud, customers can filter by titles such as:

• Internet exposed container with high severity vulnerabilities
• Internet exposed Azure VM with RCE vulnerabilities
• Internet exposed GCP compute instance with RCE vulnerabilities
• Internet exposed AWS EC2 instance with RCE vulnerabilities

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Detect network IP and domain indicators of compromise using ASIM

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect Web Sessions IP and file hash indicators of compromise using ASIM

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_sha_hashes =dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);b_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())b| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Detect domain and URL indicators of compromise using ASIM

// Domain list - _Im_WebSession
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);
_Im_WebSession (url_has_any = ioc_domains)

Detect files hashes indicators of compromise using ASIM

// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);dimFileEventd| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]), 
  AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"

Find use of reverse shells

This query looks for potential reverse shell activity initiated by cmd.exe or PowerShell. It matches the use of reverse shells in this attack: reverse-shell-nishang.

Indicators of compromise

The list below is non-exhaustive and does not represent all indicators of compromise observed in the known campaigns:

References

• Critical Security Vulnerability in React Server Components – React
• NVD – CVE-2025-55182
• CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The guidance provided in this blog post represents general best practices and is intended for informational purposes only. Customers remain responsible for evaluating and implementing security measures appropriate for their environments.

The post Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components appeared first on Microsoft Security Blog.

Microsoft urges customers to upgrade to the latest version following Fortra’s recommendations.  We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender, as well as security posture hardening recommendations for customers.

Vulnerability analysis 

The vulnerability, tracked as CVE-2025-10035, is a critical deserialization flaw impacting GoAnywhere MFT’s License Servlet Admin Console versions up to 7.8.3. It enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects.

Successful exploitation could result in command injection and potential RCE on the affected system. Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances.

The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware. Public advisories recommend immediate patching, reviewing license verification mechanisms, and closely monitoring for suspicious activity in GoAnywhere MFT environments to mitigate risks associated with this vulnerability.

Exploitation activity by Storm-1175  

Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175. Related activity was observed on September 11, 2025.

An analysis of the threat actor’s TTPs reveals a multi-stage attack. For initial access, the threat actor exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. They dropped the RMM binaries directly under the GoAnywhere MFT process. In addition to these RMM payloads, the creation of .jsp files within the GoAnywhere MFT directories was observed, often at the same time as the dropped RMM tools.

The threat actor then executed user and system discovery commands and deployed tools like netscan for network discovery. Lateral movement was achieved using mstsc.exe, allowing the threat actor to move across systems within the compromised network.

For command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication. During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat. 

• Upgrade to the latest version following Fortra’s recommendations. Note that upgrading does not address previous exploitation activity, and review of the impacted system may be required. 
• Use an enterprise attack surface management product, like Microsoft Defender External Attack Surface Management (Defender EASM), to discover unpatched systems on your perimeter. 
• Check your perimeter firewall and proxy to ensure servers are restricted from accessing the internet for arbitrary connections, like browsing and downloads. Such restrictions help inhibit malware downloads and command-and-control activity. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on block mode in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. 
• Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats: 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • Use advanced protection against ransomware 
  • Block web shell creation for servers

Microsoft Defender XDR detections

Following the release of the vulnerability, the Microsoft Defender Research Team ensured that protections are deployed for customers, from ensuring that Microsoft Defender Vulnerability Management correctly identifies and surfaces all vulnerable devices in impacted customer environments, to building Microsoft Defender for Endpoint detections and alerting along the attack chain.

Microsoft Defender Vulnerability Management customers can search for this vulnerability in the Defender Portal or navigate directly to the CVE page to view a detailed list of the exposed devices within their organization.

Customers of Microsoft Defender Experts for XDR that might have been impacted have also been notified of any post-exploitation activity and recommended actions.

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog. 

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Vulnerability profile: CVE-2025-10035 – GoAnywhere Managed File Transfer
• Actor profile: Storm-1175

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Vulnerable devices

Find devices affected by the CVE-2025-10035 vulnerability.

DeviceTvmSoftwareVulnerabilities 
| where CveId in ("CVE-2025-10035") 
| summarize by DeviceName, CveId

Possible GoAnywhere MFT exploitation

Look for suspicious PowerShell commands indicative of GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability. 

DeviceProcessEvents
| where InitiatingProcessFolderPath contains @"\GoAnywhere\"
| where InitiatingProcessFileName contains "tomcat"
| where InitiatingProcessCommandLine endswith "//RS//GoAnywhere"
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("whoami", "systeminfo", "net user", "net group", "localgroup administrators", "nltest /trusted_domains", "dsquery", "samaccountname=", "query session", "adscredentials", "o365accountconfiguration", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "set-MpPreference", "add-MpPreference", "certutil", "bitsadmin")

Look for suspicious cmd.exe commands launched after possible GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability. 

DeviceProcessEvents
| where InitiatingProcessFolderPath contains @"\GoAnywhere\"
| where InitiatingProcessFileName contains "tomcat"
| where InitiatingProcessCommandLine endswith "//RS//GoAnywhere"
| where ProcessCommandLine !contains @"\GIT\"
| where FileName == "cmd.exe"
| where ProcessCommandLine has_any ("powershell.exe", "powershell ", "rundll32.exe", "rundll32 ", "bitsadmin.exe", "bitsadmin ", "wget http", "quser") or ProcessCommandLine has_all ("nltest", "/dclist") or ProcessCommandLine has_all ("nltest", "/domain_trusts") or ProcessCommandLine has_all ("net", "user ", "/add") or ProcessCommandLine has_all ("net", "user ", " /domain") or ProcessCommandLine has_all ("net", " group", "/domain")

Storm-1175 indicators of compromise

The following query identifies known post-compromise tools leveraged in recent GoAnywhere exploitation activity attributed to Storm-1175. Note that the alert Ransomware-linked threat actor detected will detect these hashes. 

let fileHashes = dynamic(["4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220", "c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3", "cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3", "5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19"]);
union
(
DeviceFileEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
DeviceEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
DeviceImageLoadEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
DeviceProcessEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Indicators of compromise

File IoCs (RMM tools in identified Storm-1175 exploitation activity):

• 4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220 (MeshAgent SHA-256) 
• c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3 (SimpleHelp SHA-256) 
• cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3 (SimpleHelp SHA-256) 
• 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 (SimpleHelp SHA-256) 

Network IoCs (IPs associated with SimpleHelp):

• 31[.]220[.]45[.]120
• 45[.]11[.]183[.]123
• 213[.]183[.]63[.]41

References

• Deserialization Vulnerability in GoAnywhere MFT’s License Servlet (Fortra)
• CVE-2025-10035 Detail (CVE)
• CVE-2025-10035 Detail (NIST)
• Upgrade Process (GoAnywhere)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability appeared first on Microsoft Security Blog.

After discovering the bypass technique during proactive hunting for processes with privileged entitlements, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2025-31199, as part of security updates for macOS Sequoia, released on March 31, 2025. We thank the Apple security team for their collaboration in addressing this vulnerability and encourage macOS users to apply these security updates as soon as possible.

As a reminder, TCC is a technology designed to prevent applications from accessing users’ personal information, including services such as location services, camera, microphone, Downloads directory, and others, without obtaining prior consent and knowledge from users. The only legitimate method for an application to gain access to these services is through user approval via a popup prompt within the user interface or by granting per-app access in the operating system’s settings.

In this blog post, we display how, despite Spotlight plugins being carefully and heavily restricted to maintain their privileged access to sensitive files, they can still be abused to exfiltrate file contents. Our research demonstrates how this privileged access and the ability to manipulate these plugins blur the line between operating system components, like the mds daemon and mdworker task, and non-OS components, like the plugins themselves. Further, we show how the TCC bypass works against well-defined file types, as well as how it could be abused to get valuable data such as information tagged by Apple Intelligence and remote information of other iCloud account-linked devices.

Background: Spotlight importers

Spotlight is a built-in macOS application that is capable of quickly finding content on a device by means of indexing. Users can use the Command +Space shortcut to trigger a file search. However, Spotlight supports plugins known as Spotlight importers to further index data found on a device. For example, Outlook can index emails for them to appear in search. Those plugins are macOS bundles ending with a .mdimporter suffix, and can be listed by using the mdimport utility with the -L command line flag:

To support that architecture, the technology works in a producer-consumer design, where tools such as Spotlight (or the mdfind command utility) consume data from index files that are saved locally, and an indexing service produces and updates those index files.

The indexing service is known as mds and acts as a system daemon. Upon file modifications, the kernel triggers the mds daemon, which in turn creates a heavily sandboxed task called mdworker, which runs the plugin logic and updates the index.

Spotlight plugins have been studied in the past, notable examples include:

• Csaba Fitzl’s blog post on how they can be used for persistence.
• Csaba Fitzl’s CVE-2024-54533 findings mention that Spotlight was able to access sensitive user data.
• Patrick Wardle’s KnockKnock utility that checks for persistence of Spotlight importers.
• Patrick Wardle’s 2025 Black Hat talk mentions how Spotlight importers can be used for persistence.
• Jonathan Levin’s *OS Internals, Vol I, that examines the workings of Spotlight importers.

Spotlight plugins declare which type of files they can process via their Info.plist file, and when such a file is scanned by the mds daemon, a mdworker task will eventually invoke their GetMetadataForFile function.

Turning a plugin into a TCC bypass

We have covered several TCC bypasses in the past, such as CVE-2021-30970 (“powerdir”) and CVE-2024-44133 (“HM-Surf”). As a reminder, TCC is a technology that prevents apps from accessing users’ personal information, including services such as location services, camera, microphone, Downloads directory, and others, without their prior consent and knowledge. In this blog post, we shall focus primarily on access to private files protected by TCC, such as the Downloads directory, the Pictures directory, or the user’s Desktop.

Due to the privileged access that Spotlight plugins have to sensitive files for indexing purposes, Apple imposes heavy restrictions on them via its Sandbox capabilities. On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file’s contents. In our exploit, we have decided to simply log the file’s bytes to the unified log in chunks:

Assuming an attacker knows specific file types they wish to read, they can simply perform the following steps:

1. Change the bundle’s Info.plist and schema.xml files to declare the file types they wish to leak in UTI form. Since we assume an attacker runs locally, this is always possible to resolve, even for dynamic types.
2. Copy the bundle into ~/Library/Spotlight directory. Note the bundle does not need to be signed at all.
3. Force Spotlight to use the new bundle via the mdimport -r command, and validate it’s indeed loaded with the mdimport -L command.
4. Use mdimport -i <path> to recursively scan files under the given path and leak them. Note the calling app does not require TCC permissions to the indexed directory as it’s done by the mdworker task.
5. Use the log utility to read the files contents.

The determination of UTI for dynamic types can be done with the uttype utility, even if the calling app does not have TCC access to the right directory. For example, here is the resolution of the TCC-protected Photos.sqlite file:

Note since .mdimporter is an unsigned bundle, an attacker doesn’t even need to recompile to adjust to other file types—they could just modify Info.plist and schema.xml as they see fit. We therefore conclude an attacker can trivially discover and read arbitrary files from sensitive directories normally protected by TCC. Our initial exploit focused on the Downloads folder, only to later draw our attention to the Pictures folder.

We have coded a full proof-of-concept (POC) exploit code dubbed “Sploitlight” that automates this entire process and shared it with Apple:

Exposing more sensitive data from Apple Intelligence

The ability to read sensitive files is more dangerous than it seems. As it turns out, the newly acclaimed Apple Intelligence (which is installed by default on all ARM-based devices) performs caching of its data under various directories. For example, one such directory lives under the user’s Pictures directory:

Access to those files is protected by the “Pictures” TCC service type and cannot be accessed without a user’s approval. However, as we previously demonstrated with the Sploitlight POC, we can leak arbitrary files’ contents and thus extract the contents of those database files.

There are many great utilities for extracting private information from Photos.sqlite and photos.db, but we’d like to summarize what information attackers would be able to obtain:

Alongside those implications of an attacker gaining such detailed private information on a targeted user’s device, it’s important to remember that Apple devices that share the same iCloud account will have different Photos.sqlite database files, but face tagging and other metadata propagates between devices. This means that an attacker with access to a user’s macOS device would also be able to determine remote information of other devices linked to that user’s iCloud account, such as data from the target user’s iPhone.

In addition, threat actors could just as easily gain private data from other Apple Intelligence cached files, such as email summaries and notes written with ChatGPT.

Strengthening protection against TCC bypass attacks

Attackers with the ability to bypass TCC protections on macOS devices can access sensitive data without user consent. The ability to further exfiltrate private data from protected directories, such as the Downloads folder and Apple Intelligence caches, is particularly alarming due to the highly sensitive nature of the information that can be extracted, including geolocation data, media metadata, and user activities. The implications of this vulnerability are even more extensive given the remote linking capability between devices using the same iCloud account, enabling attackers to determine more remote information about a user through their linked devices. Understanding the implications of TCC bypass vulnerabilities is essential for building proactive defenses that safeguard user data from unauthorized access.

By comprehending the broader impacts of these security concerns, we can better defend users and ensure their digital safety. Microsoft Defender for Endpoint allows organizations to quickly discover and remediate vulnerabilities such as Sploitlight in their increasingly heterogeneous networks. The insights gained from this research have enabled us to enhance Microsoft Defender for Endpoint’s detection mechanisms, providing robust protection against unauthorized access to private data by proactively detecting anomalous .mdimporter bundle installations, alongside any suspicious index of sensitive directories:

By continuously improving our security solutions, we aim to safeguard user information and uphold the trust placed in our products. Moreover, this research emphasizes the importance of continuous vigilance and collaboration with software vendors and the security community to identify and mitigate such vulnerabilities before they can be exploited. We would like to again thank the Apple security team for their collaboration in fixing CVE-2025-31199.

We encourage users to ensure they have applied the security updates released by Apple to mitigate this issue.

As cross-platform threats become more prevalent, Microsoft remains vigilant in monitoring the threat landscape to discover new vulnerabilities and attacker techniques affecting macOS and other non-Windows devices. Our proactive approach to vulnerability discoveries and threat intelligence sharing enhances protection technologies, ensuring that users can enjoy a secure computing experience safeguarded from threats, regardless of the platform or device they use.

Jonathan Bar Or

Alexia Wilson

Christine Fossaceca
Microsoft Threat Intelligence

References

• https://support.apple.com/guide/mac-help/search-with-spotlight-mchlp1008/mac
• https://developer.apple.com/library/archive/documentation/CoreFoundation/Conceptual/CFBundles/AboutBundles/AboutBundles.html
• https://ss64.com/mac/mdimport.html
• https://ss64.com/mac/mdfind.html
• https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
• https://attack.mitre.org/tactics/TA0003/
• https://nvd.nist.gov/vuln/detail/CVE-2024-54533
• https://objective-see.org/products/knockknock.html
• https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
• https://newosxbook.com/home.html
• https://developer.apple.com/library/archive/documentation/Carbon/Conceptual/MDImporters/Concepts/WritingAnImp.html
• https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox
• https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/understanding_utis/understand_utis_intro/understand_utis_intro.html
• https://manp.gs/mac/1/uttype
• https://www.apple.com/apple-intelligence/
• https://alastairs-place.net/blog/2012/06/06/utis-are-better-than-you-think-and-heres-why/

Learn more

Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability appeared first on Microsoft Security Blog.

On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.

These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706. 

As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.

Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode as detailed in Mitigations section below. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.

Observed tactics and techniques

Microsoft observed multiple threat actors conducting reconnaissance and attempting exploitation of on-premises SharePoint servers through a POST request to the ToolPane endpoint.

Post-exploitation activities

Threat actors who successfully executed the authentication bypass and remote code execution exploits against vulnerable on-premises SharePoint servers have been observed using a web shell in their post-exploitation payload.

Web shell deployment

In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc. The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user through a GET request, enabling the theft of the key material by threat actors.

Related IOCs and hunting queries

Microsoft provides indicators of compromise (IOCs) to identify and hunt for this web shell in the Indicators of compromise section of this blog. Microsoft provides related hunting queries to find this dropped file in the Hunting queries section of this blog.

Attribution

As early as July 7, 2025, Microsoft analysis suggests threat actors were attempting to exploit CVE-2025-49706 and CVE-2025-49704 to gain initial access to target organizations. These actors include Chinese state actors Linen Typhoon and Violet Typhoon and another China-based actor Storm-2603.  The TTPs employed in these exploit attacks align with previously observed activities of these threat actors.

Linen Typhoon

Since 2012, Linen Typhoon has focused on stealing intellectual property, primarily targeting organizations related to government, defense, strategic planning, and human rights. This threat actor is known for using drive-by compromises and historically has relied on existing exploits to compromise organizations.

Violet Typhoon

Since 2015, the Violet Typhoon activity group has been dedicated to espionage, primarily targeting former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education, digital and print media, financial and health related sectors in the United States, Europe, and East Asia. This group persistently scans for vulnerabilities in the exposed web infrastructure of target organizations, exploiting discovered weaknesses to install web shells.

Storm-2603

The group that Microsoft tracks as Storm-2603 is assessed with moderate confidence to be a China-based threat actor. Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives. Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.

Initial access and delivery

The observed attack begins with the exploitation of an internet-facing on-premises SharePoint server, granting Storm-2603 initial access to the environment using the spinstall0.aspx payload described earlier in this blog. This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint. Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels. The use of cmd.exe and batch scripts is also observed as the actor transitions into broader execution phases. Notably, services.exe is abused to disable Microsoft Defender protections through direct registry modifications.

Persistence

Storm-2603 established persistence through multiple mechanisms. In addition to the spinstall0.aspx web shell, the threat actor also creates scheduled tasks and manipulates Internet Information Services (IIS) components to load suspicious .NET assemblies. These actions ensure continued access even if initial vectors are remediated.

Action on objectives

The threat actor performs credential access using Mimikatz, specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials. The actor moves laterally using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI).

Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.

Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.

Mitigation and protection guidance

Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately.

Customers using SharePoint Server should follow the guidance below.

1. Use or upgrade to supported versions of on-premises Microsoft SharePoint Server.
   • Supported versions: SharePoint Server 2016, 2019, and SharePoint Subscription Edition
2. Apply the latest security updates.
3. Ensure the Antimalware Scan Interface is turned on and configured correctly and deploy Defender Antivirus on all SharePoint servers
   • Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.
   • Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
   • If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until you have applied the most current security update linked above. If the server cannot be disconnected from the internet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit unauthenticated traffic.
4. Deploy Microsoft Defender for Endpoint, or equivalent solutions
   • We recommend organizations to deploy Defender for Endpoint to detect and block post-exploit activity.
5. Rotate SharePoint Server ASP.NET machine keys
   • After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) on all SharePoint servers.
     1. Manually using PowerShell
        • To update the machine keys using PowerShell, use the Set-SPMachineKey cmdlet.
     2. Manually using Central Admin: Trigger the Machine Key Rotation timer job by performing the following steps:
        • Navigate to the Central Administration site.
        • Go to Monitoring -> Review job definition.
        • Search for Machine Key Rotation Job and select Run Now.
6. Restart IIS on all SharePoint servers using iisreset.exe. NOTE: If you cannot enable AMSI, you will need to rotate your keys and restart IIS after you install the new security update.
7. Implement your incident response plan.

To protect against post-exploitation activity, including ransomware deployment, Microsoft recommends the following mitigations:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Read our human-operated ransomware blog for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint – or equivalent EDR solution – can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
• Enable LSA protection.
• Enable and configure Credential Guard.
• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Enable controlled folder access.
• Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques. Attack surface reduction rules are sweeping settings that stop entire classes of threats. The following bullet points offer more guidance on specific mitigation advice:
  • Use advanced protection against ransomware.
  • Block credential stealing from the Windows local security authority subsystem.
  • Block process creations originating from PSExec and WMI commands.

Indicators of compromise

Microsoft Defender XDR coverage

Microsoft Defender XDR customers get coordinated protection across endpoints, identities, email, and cloud apps to detect, prevent, investigate, and respond to threats like the SharePoint exploitation activity described in this blog. 

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

The following table outlines the tactics observed in the exploitation attacks discussed in this blog, along with Microsoft Defender protection coverage at each stage of the attack chain: 

Note: These alerts can also be triggered by unrelated threat activity 

Vulnerability management

Customers using Microsoft Defender Vulnerability Management can identify exposed devices and track remediation efforts based on the following CVEs: 

• CVE-2025-53770 – SharePoint ToolShell Auth Bypass and RCE 
• CVE-2025-53771 – SharePoint ToolShell Path Traversal 
• CVE-2025-49704 – SharePoint RCE 
• CVE-2025-49706 – SharePoint Post-auth RCE 

Navigate to Vulnerability management > Weaknesses and filter by these CVE IDs to view exposed devices, remediation status, and Evidence of Exploitation tags.

You can also use this unified advanced hunting query:

DeviceTvmSoftwareVulnerabilities 
| where CveId in ( 
    "CVE-2025-49704", 
    "CVE-2025-49706", 
    "CVE-2025-53770", 
    "CVE-2025-53771") 

External Attack Surface Management (Defender EASM) 

Microsoft Defender External Attack Surface Management (Defender EASM) provides visibility into exposed internet-facing SharePoint instances. The following Attack Surface Insights may indicate vulnerable but not necessarily exploited services: 

• CVE-2025-49704 – SharePoint RCE 
• CVE-2025-53770 – SharePoint ToolShell Auth Bypass and RCE 
• CVE-2025-53771 – SharePoint ToolShell Path Traversal 

Note: A “Potential” insight signals that a service is detected but version validation is not possible. Customers should manually verify patching status. 

Hunting queries

Microsoft Defender XDR

To locate possible exploitation activity, run the following queries in Microsoft Defender XDR security center.  

Successful exploitation using file creation  

Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. 

DeviceFileEvents 
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS") 
| where FileName contains "spinstall" or FileName contains "spupdate" or FileName contains "SpLogoutLayout" or FileName contains "SP.UI.TitleView" 
or FileName contains "queryruleaddtool" or FileName contains "ClientId"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 
| order by Timestamp desc

Post-exploitation PowerShell dropping web shell

Look for process creation where w3wp.exe is spawning encoded PowerShell involving the spinstall0.aspx file or the file paths it’s been known to be written to.

DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
    and InitiatingProcessCommandLine !has "DefaultAppPool"
    and FileName =~ "cmd.exe"
    and ProcessCommandLine has_all ("cmd.exe", "powershell")
    and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))   
| where B64Decode contains "spinstall" or B64Decode contains "spupdate" or B64Decode contains "SpLogoutLayout" or B64Decode contains "SP.UI.TitleView" 
or B64Decode contains "queryruleaddtool" or B64Decode contains "ClientId" and B64Decode contains
@'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS' or B64Decode contains @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'

Post-exploitation web shell dropped

Look for the web shell dropped using the PowerShell command.

DeviceFileEvents
| where Timestamp >ago(7d)
| where InitiatingProcessFileName=~"powershell.exe"
| where FileName contains "spinstall" or FileName contains "spupdate" or FileName contains "SpLogoutLayout" or FileName contains "SP.UI.TitleView" 
or FileName contains "queryruleaddtool" or FileName contains "ClientId"

Exploitation detected by Defender

Look at Microsoft Defender for Endpoint telemetry to determine if specific alerts fired in your environment.

AlertEvidence 
| where Timestamp > ago(7d) 
| where Title has "SuspSignoutReq" 
| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"") 
| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )

Unified advanced hunting queries

Find exposed devices

Look for devices vulnerable to the CVEs listed in blog.

DeviceTvmSoftwareVulnerabilities 
| where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771") 

Web shell C2 communication

Find devices that may have communicated with Storm-2603 web shell C2, that may indicate a compromised device beaconing to Storm-2603 controlled infrastructure.

let domainList = dynamic(["update.updatemicfosoft.com"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. Several hunting queries are also available below: 

• Web shell detection
• Possible Webshell drop
• Malicious web application requests linked with Microsoft Defender for Endpoint alerts 
• Web shell activity 

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Detect network indicators of compromise and file hashes using ASIM

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]), 
  AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"

Post exploitation C2 or file hashes

Find devices that may have communicated with Storm-2603 post exploitation C2 or contain known Storm-2603 file hashes.

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["65.38.121.198"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514", 
"24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf", 
"b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0", 
"c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94", 
"1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192", 
"4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928", 
"83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060", 
"f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441", 
"b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d", 
"6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d", 
"7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68", 
"567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443", 
"445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86", 
"ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a", 
"6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5", 
"c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Storm-2603 C2 communication

Look for devices that may have communicated with Storm-2603 C2 infrastructure as part of this activity.

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["65.38.121.198"]);
let ioc_domains = dynamic(["update.updatemicfosoft.com"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Microsoft Security Copilot

Microsoft Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• CVE-2025-53770 – Microsoft SharePoint server remote code execution vulnerability
• Storm-2603 exploiting on-premises SharePoint vulnerabilities to distribute Warlock ransomware

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

MITRE ATT&CK techniques observed 

Threat actors have exhibited use of the following attack techniques. For standard industry documentation about these techniques, refer to the MITRE ATT&CK framework. 

Initial Access

• T1190 Exploit public-facing application | Use of known vulnerabilities to exploit internet-facing on-premises SharePoint severs 

Discovery

• T1033 System Owner/User Discovery | Whoami commands run after initial access and privilege escalation

Execution

• T1059.001 Command and scripting interpreter: PowerShell | Use of a web shell to run PowerShell to read and transmit MachineKey data to attacker
• T1059.003 Command and Scripting Interpreter: Windows Command Shell | Use of batch scripts and cmd.exe to execute PsExec
• T1569.002 System Services: Service Execution | Windows service control manager is abused to disable Microsoft Defender protections through registry modifications and launch PsExec
• T1543.003 Create or Modify System Process: Windows Service | PsExec is leveraged Windows services to escalate privileges from administrator to SYSTEM with the -s argument
• T1047 Windows Management Instrumentation | Impacket is used to execute commands through WMI

Persistence

• T1505.003 Server software component: web shell | Threat actors install web shell after exploiting SharePoint vulnerability
• T1505.004 Server Software Component: IIS Components | IIS worker process is loaded suspicious .NET assembly
• T1053.005 Scheduled Task/Job: Scheduled Task | Scheduled task is created to maintain persistence following initial access

Privilege Escalation

• T1484.001 Domain or Tenant Policy Modification: Group Policy Modification | GPO modification deployed batch scripts for ransomware deployment

Defense Evasion

• T1620 Reflective code loading | Reflectively loaded payloads
• T1562.001 Impair Defenses: Disable or Modify Tools | Disabling Microsoft Defender via registry modifications
• T1112 Modify Registry | Disabling Microsoft Defender via registry modifications

Credential Access

• T1003.001 OS Credential Dumping: LSASS Memory | Mimikatz is used to run module sekurlsa::logonpasswords, which lists all available credentials

Lateral Movement

• T1570 Lateral Tool Transfer | Impacket is observed leveraging Windows Management Instrumentation to remotely stage and execute payloads

Collection

• T1119 Automated collection | Use of web shell to display MachineKey data
• T1005 Data from Local System | Host and local system information gathered by adversary during attack

Command and Control

• T1090 Proxy, Technique | Fast reverse proxy tool used for C2 communications

Impact

• T1486 Data Encrypted for Impact | Files are encrypted in victim environments as part of ransomware attack

References

• CVE-2025-53770 (MSRC)
• CVE-2025-49704 (MSRC
• CVE-2025-49706 (MSRC
• CVE-2025-53771 (MSRC)

Learn more

Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Disrupting active exploitation of on-premises SharePoint vulnerabilities appeared first on Microsoft Security Blog.

Microsoft Threat Intelligence assesses with moderate confidence that Marbled Dust conducts reconnaissance to determine whether their targets are Output Messenger users and chooses this attack vector based on that knowledge. Successful exploitation allows the threat actor to deliver multiple malicious files and exfiltrate data from targets.

Upon discovering the Output Messenger zero-day vulnerability (CVE-2025-27920), Microsoft notified Srimax, the developer of the messaging app, who issued a software update. Microsoft also identified a second vulnerability in Output Messenger (CVE-2025-27921) for which Srimax has also released a patch; however, Microsoft has not observed exploitation of this second vulnerability. We acknowledge Srimax for their collaboration and for addressing both vulnerabilities.

In this blog, we present details on how Marbled Dust uses the Output Messenger zero-day exploit in the attack chain of this campaign. We also share mitigation and protection guidance, and detection details and hunting queries. Microsoft Threat Intelligence recommends users upgrade Output Messenger to its latest version to address the vulnerability leveraged by Marbled Dust.

Who is Marbled Dust?

Microsoft Threat Intelligence assesses that Marbled Dust operates as a Türkiye-affiliated espionage threat actor. Marbled Dust targets entities in Europe and the Middle East, particularly government institutions and organizations that likely represent counter interests to the Turkish government, as well as targets in the telecommunications and information technology sectors. Marbled Dust overlaps with activity tracked by other security vendors as Sea Turtle and UNC1326.

In previous campaigns, Marbled Dust was observed scanning targeted infrastructure for known vulnerabilities in internet-facing appliances or applications and exploiting these vulnerabilities as a means of gaining initial access to target infrastructure providers. They were also observed using access to compromised DNS registries and/or registrars to reset the DNS server configuration of government organizations in various countries to intercept traffic, enabling them to log and reuse stolen credentials.

This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach. The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.

Output Messenger zero-day

Microsoft security researchers identified the zero-day vulnerability exploited by Marbled Dust. This directory traversal vulnerability (CVE-2025-27920) in the Output Messenger Server Manager application could allow an authenticated user to upload malicious files into the server’s startup directory. Marbled Dust exploited this vulnerability to save the malicious file OMServerService.vbs to the startup folder.

The Output Messenger Server Manager application provides the server owner with the option to enable an output drive, allowing users to upload and download files from the server. Once this is enabled, any user can upload files to the server. By default, these files are stored at C:\Program Files\Output Messenger Server\OfflineMessages\Temp\1\File on the server. Once a user is authenticated, they can upload a file and replace the “name” value in the request with their directory traversal string, for example, name=”../../../../../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/OMServerService.vbs.

In the Output Messenger architecture, the client and server communicate to provide messaging, file sharing, and other collaborative features. When the client is launched, it connects to the server and sends user credentials to the server for validation before the server authenticates the user. Messages sent from the client are forwarded to the server, which acts as a relay. When a file is shared via the client, it can either be directly transferred to another user or stored on the server for later retrieval.

Once Marbled Dust gains access to the Output Messenger server, the threat actor can leverage Output Messenger system architecture to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, which could lead to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Attack chain

The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager application as an authenticated user. While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity.

Marbled Dust uses this foothold in a single victim to collect the user’s Output Messenger credentials and exploit the CVE-2025-27920 vulnerability, a directory traversal attack in the Output Messenger Server Manager application that allows an authenticated user to drop malicious files to the server’s startup directory. Marbled Dust drops the malicious files OM.vbs and OMServerService.vbs to the Output Messenger server startup folder and drops the malicious file OMServerService.exe to the server’s Users/public/videos directory.

Marbled Dust then uses OMServerService.vbs to call OM.vbs, which is passed to OMServerService.exe as an argument. At the time of reporting, file OM.vbs was not available for analysis. OMServerService.exe, on the other hand, is a GoLang backdoor masquerading as the legitimate file of the same name. GoLang is particularly effective in this case because it is not sensitive to OS versions. In some cases, OMServerService.exe is observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration.

On the client side, the installer extracts and executes both the legitimate file OutputMessenger.exe and OMClientService.exe, another GoLang backdoor that connects to a Marbled Dust command-and-control (C2) domain. This backdoor first performs a connectivity check via GET request to the C2 domain api.wordinfos[.]com. If successful, a second GET request is sent to the same C2 containing hostname information to uniquely identify the victim. The response from the C2 is then directly executed using the command “cmd /c” which instructs the Windows command prompt to run a specific command and then terminate.

In at least one case, a victim device with the Output Messenger client software was observed connecting to an IP address attributed to Marbled Dust likely for data exfiltration, as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop. This connection to the Marbled Dust-attributed IP address is frequently accomplished using plink—the command-line version of the PuTTY SSH client for Windows.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Strengthen operating environment configuration

• Ensure that Output Messenger is updated to a version that is not affected by the vulnerability:
  • Version 2.0.63 for Windows
  • Version 2.0.62 for Server
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product.
• Create Defender for Cloud Apps anomaly detection policies.
• Use a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
•  Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Organizations can also use Microsoft Defender External Attack Surface Management (EASM), a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion   

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Turn on web protection.
• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.   

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

Alerts with the following title in the security center can indicate threat activity on your network:

• Marbled Dust activity group

Microsoft Defender for Cloud

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Traffic detected from IP addresses recommended for blocking
• Communication with suspicious domain identified by threat intelligence

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Marbled Dust actor profile

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries and component search

Microsoft Defender XDR component search

Microsoft Defender XDR customers can search for Output Messenger components in their environment through the XDR portal Intel explorer components search function.

Navigate to Intel Explorer. Search for “output messenger”. On the summary tab, scroll down to “Components on IP” and click the View all selection at the bottom to display the full results. Note: the results of the search may not include the version of the Output Messenger component.

Microsoft Defender XDR advanced hunting queries

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

OMServerService.vbs script

Surface devices that possess the OMServerService.vbs file that attempts to launch the Marbled Dust GoLang backdoor.

DeviceFileEvents
| where FileName == "OMServerService.vbs"
| where FolderPath has @"/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields

Marbled Dust C2

Surface devices that might have communicated with Marbled Dust C2.

let domainList = dynamic(["api.wordinfos.com"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Executable file or launch script (requires Microsoft Defender XDR)

Identify devices that might have the executable file or launch script present as part of this activity.

DeviceFileEvents
| where FileName == "OM.vbs" or FileName == "OMServerService.exe"
| where FolderPath has @"c:\users\public\videos\"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields

Marbled Dust VBS script file hashes (requires Microsoft Defender XDR)

Search for the file hashes associated with the Marbled Dust VBS script files used in this activity.

let fileHashes = dynamic(["1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39", 
"2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63"]);
union
(
   DeviceFileEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
   DeviceEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
   DeviceImageLoadEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
   DeviceProcessEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Indicators of compromise

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Marbled Dust leverages zero-day in Output Messenger for regional espionage appeared first on Microsoft Security Blog.

Similar to our discovery of another sandbox escape vulnerability in 2022, we uncovered this issue while researching potential methods to run and detect malicious macros in Microsoft Office on macOS. After discovering this issue, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2025-31191, as part of security updates released on March 31, 2025. We want to thank the Apple product security team for their collaboration and responsiveness. We encourage macOS users to apply security updates as soon as possible.

This blog post details our investigation into using Office macros to escape the macOS App Sandbox and how we uncovered the CVE-2025-31191 vulnerability. We further demonstrate how the exploit could allow an attacker to delete and replace a keychain entry used to sign security-scoped bookmarks to ultimately escape the App Sandbox without user interaction. This research underscores how security solutions like Microsoft Defender for Endpoint protect devices from cross-platform threats, as well as how collaboration and responsible disclosure are essential to defend users across all platforms and devices.

The macOS App Sandbox and Office macros

The macOS App Sandbox is a security mechanism employed on macOS applications, enforcing strict fine-grained rules on what an app can or cannot do. For example, an app can specify whether it should have internet access or whether it should be able to access specific files. To get apps signed by Apple and published in the Mac App Store, developers must have sandbox rules defined for their apps.

Since 2022, Apple has made significant changes to how the App Sandbox is enforced from within Launch Services, making them aware of the XPC client being sandboxed. That means vulnerabilities that use Launch Services, such as the CVE-2022-26706 vulnerability, as well as CVE-2021-30864, CVE-2022-26696, and others, will not work anymore. Since Microsoft Office is heavily sandboxed on macOS, it seems that the impact of malicious Office macros is minimal and cannot be trivially used as an initial access vector.

Nevertheless, our team decided to perform a threat landscape analysis. With modern Microsoft Office for macOS being heavily sandboxed, two new VBA APIs have been introduced and documented:

• AppleScriptTask. This API allows a Microsoft Office macro to run a preassigned AppleScript. The script must be under the directory ~/Library/Application Scripts/[bundle id]/, which is not accessible for writing from within Office itself. Therefore, script execution cannot be used for VBA-based sandbox escape purposes.
• GrantAccessToMultipleFiles. This API grants read and write access to files out of the sandbox from within the macro, which involves heavy user interaction to select and approve those files.

Since the AppleScriptTask API did not have obvious vulnerabilities, we started focusing on the GrantAccessToMultipleFiles API.

Interestingly, we noticed that the user’s choice is persistently saved and used, even between reboots. This indicates that the user’s consent is stored in a file that we can attempt to access. An attacker could aim to obtain write and read access to arbitrary files without the user’s consent and then escape the macOS App Sandbox by abusing files that would later be used by other apps (such as the file ~/.zshenv that we analyzed in the past). In such an attack, the attacker could rely on unsuspecting users approving file access to allow trivial sandbox escapes.

File access approval using kernel tokens

We discovered that the file that persists the user’s choices is a PLIST file under the Containers folder. The Containers folder is a special folder in which App Sandbox rules do not apply, which means that the sandboxed app has full access to files there. This is quite attractive for vulnerability research purposes since it means that an attacker might be able to add entries to that file and simply get access to arbitrary files mentioned in that PLIST file.

Microsoft Office uses a macOS mechanism called security-scoped bookmarks, which is a mechanism designed by Apple to specifically bypass the App Sandbox rules using explicit, persistent user choices. We do note that the file seems to contain binary signatures, so frivolously adding new entries or modifying existing ones is not possible.

Therefore, our team decided to reverse engineer large parts of the macOS modules that support this behavior. However, to fully understand and appreciate the security design of security-scoped bookmarks, it’s important to understand how sandboxed apps typically get access to files.

In general, sandboxed apps typically get access to files if a user selects them using the Open dialog. That dialog is controlled by an un-sandboxed service called com.apple.appkit.xpc.openAndSavePanelService.xpc. After the user selects the files, that un-sandboxed service transfers access to the selected files to the sandboxed app (using IPC) via a mechanism called sandbox extensions, which was documented well by Jonathan Levin in the past. Essentially, sandbox extensions are tokens created and signed by the kernel that grant the possessing process the ability to access those files, typically using the lower-level API under libsystem_sandbox.dylib. In our case, the Open dialog service passes a sandbox extension token from the kernel to Microsoft Office, which then uses the token for file access purposes, bypassing App Sandbox checks. The token itself contains:

• HMAC-SHA256 authentication. The key used for that HMAC is generated in each boot by the Sandbox.kext kernel extension.
• Volume, node information, and other file metadata.
• Capability (such as com.apple.app-sandbox.read-write).
• File path.

Because the key that is used to sign the HMAC-SHA256 blob is generated in each new boot, the token cannot persist between reboots. To solve that problem, Apple came up with security-scoped bookmarks, which do something very similar. A new un-sandboxed process called ScopedBookmarkAgent was introduced, which can perform two important tasks:

1. Given a sandbox extension token, validate its authenticity and generate a new, serializable object called “bookmark,” which will have a long-term HMAC-SHA256 authentication.
2. Given a bookmark, validate its authenticity and generate a new sandbox extension token.

Applications such as Microsoft Office could then use those capabilities to maintain long-term file access:

1. On the first call to GrantAccessToMultipleFiles, Office checks if there are file entries in its securebookmarks.plist file. Since there are no matching entries, Office consults the Open dialog service, which requires user interaction and receives a sandbox extension token. That token is sent to the ScopredBookmarkAgent, which validates the token and then signs it with its own unique, long-term cryptographic key. That data is then serialized by Office to the securebookmarks.plist file for later use.
2. On the next call to GrantAccessToMultipleFiles, Office finds the entry in its securebookmarks.plist file and sends the data to the ScopedBookmarkAgent, which validates the signature and generates a sandbox extension token that Office can use without user interaction involved.

The HMAC-SHA256 authentication blob generated by ScopedBookmarkAgent cannot be forged unless an attacker has the cryptographic key. The signing key is unique for each app and calculated as such:

cryptoKey=HMAC-256(secret, “[bundle-id]”)

The bundle ID is known (for instance, com.microsoft.Word) and the key persists in Keychain Access on macOS, saved in the keychain entry com.apple.scopedbookmarksagent.xpc.

Therefore, knowing the secret that is stored in the keychain is essential to retrieving the cryptoKey, and that’s the only barrier against an attacker signing their own bookmark entries.

Escaping the App Sandbox via the keychain

The macOS keychain can be thought of as a built-in password manager, conceptually similar to how Credential Manager works on Windows. The keychain is a container for passwords and has Access Control Lists (ACL) that dictate which process can access each keychain item. The keychain entry we are interested in is com.apple.scopedbookmarksagent.xpc, and its ACL dictates only the ScopedBookmarkAgent has access to it, which is an excellent security decision by Apple, since injection to that process is not trivial, especially from a sandboxed context.

It seems as if an attacker cannot do much as they operate within the sandboxed app context and not the ScopedBookmarkAgent context, so attackers cannot get the key and, therefore, cannot sign arbitrary new entries in the PLIST file indirectly used by the ScopedBookmarkAgent. However, we discovered that the ACL only controls the ability to read the secret. An attacker could completely avoid reading the existing secret and instead can delete the existing entry and add a new entry, with a well-known secret. In addition, the attacker could control the new entry’s ACL and allow anyone to read the contents of the secret, including ScopedBookmarkAgent:

Therefore, an attacker can create an elaborate exploit:

1. Delete the old signing secret from the keychain and decide on a new known secret that is accessible to all processes.
2. Calculate the cryptographic key for an app since its bundle ID is known (key = HMAC-SHA256(knownSecret, [bundle-id])).
3. Artificially sign new entries in the persistent scoped bookmarks PLIST file that is accessible since it persists in the Containers directory.
4. Invoke GrantAccessToMultipleFiles, which sends the newly self-signed bookmarks to ScopedBookmarkAgent. Since ScopedBookmarkAgent uses the new secret, the bookmarks are considered authentic, and therefore ScopedBookmarkAgent grants the sandboxed app the access token without user interaction.
5. Use the new arbitrary file access capability to escape the macOS sandbox.

As corroborated by our research, this exploit works against any sandboxed app that uses security-scoped bookmarks and is therefore a generic macOS sandbox escape.

Strengthening device security through vulnerability management and threat intelligence sharing

Security technologies such as the macOS App Sandbox are designed to protect the device from malware and other cybersecurity threats, both as a default security measure and a final safeguard. Nonetheless, attackers continue to find new ways of breaking through these defenses for these same reasons, as they can gain full access to the device and run any files or processes they want without being detected by conventional security solutions.

Our research on the CVE-2025-31191 vulnerability highlights why organizations need a security solution like Microsoft Defender Vulnerability Management that enables them to identify and remediate vulnerabilities and misconfigurations on devices in real time and prioritize those in need of immediate attention. Additionally, Microsoft Defender for Endpoint detects and alerts on anomalous device activities using advanced behavioral analytics and machine learning. In this case, Microsoft Defender for Endpoint detects sandboxed apps controlling security keys that normally are not accessed by those apps. Moreover, in the context of our exploit, Defender for Endpoint detects such behavior as suspicious and blocks the activity, rendering the exploit unusable.

Lastly, this research emphasizes the value and necessity of responsible disclosure and collaboration throughout the security community. Vulnerability discoveries, cooperation between security researchers and vendors, and coordinated response across the security community are all paramount to defend against the ever-growing and ever-changing threats across platforms. These activities, along with other forms of threat intelligence sharing, strengthen and enhance our security technologies to help safeguard users across platforms and devices.

Learn how Microsoft Defender for Endpoint delivers a complete endpoint security solution across all platforms.

Jonathan Bar Or

Microsoft Threat Intelligence

References

• https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
• https://support.apple.com/en-us/122375
• https://developer.apple.com/documentation/security/app-sandbox
• https://developer.apple.com/documentation/coreservices/launch_services
• https://developer.apple.com/documentation/xpc
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26706
• https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c
• https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassing-app-sandbox-restrictions/
• https://wojciechregula.blog/post/macos-sandbox-escape-via-terminal/
• https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
• https://attack.mitre.org/techniques/T1204/
• https://wikipedia.org/wiki/Property_list
• https://developer.apple.com/documentation/professional_video_applications/fcpxml_reference/asset/media-rep/bookmark/enabling_security-scoped_bookmark_and_url_access?language=objc
• https://wikipedia.org/wiki/Inter-process_communication
• https://newosxbook.com/files/HITSB.pdf
• https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac
• https://developer.apple.com/documentation/security/keychain_services/access_control_lists

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape appeared first on Microsoft Security Blog.

Threat actors have consistently relied on outdated or misconfigured assets, exploiting vulnerabilities that enable them to gain a persistent foothold inside the target. For instance, in the case of Exchange Server, ProxyShell and ProxyNotShell vulnerabilities were widely exploited in attacks long after they were fixed by security updates in 2021 and 2022, respectively. In these attacks, threat actors abused a combination of server-side request forgery (SSRF) and privilege escalation flaws, allowing remote code execution. Successful compromise enabled threat actors to drop web shells, conduct lateral movement, and exfiltrate sensitive data, often evading detection for extended periods. More recently, attackers have shifted to NTLM relay and credential leakage techniques. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Attackers exploit NTLM authentication by relaying credentials to a vulnerable server, potentially resulting in target account compromise. Microsoft has released mitigation guidance against NTLM relay attacks.

SharePoint Server has also been a consistent target for attackers exploiting critical vulnerabilities to gain persistent and privileged access inside the target. In recent attacks, stealthy persistence tactics, such as replacing or appending web shell code into existing files like signout.aspx, installing remote monitoring and management (RMM) tools for broader access, and other malicious activities were observed.

While cloud-based software offers some inherent security advantages in software updates and high availability, some organizations’ requirements mean they need to run on-premises Exchange and SharePoint implementations. As cyber threats continue to grow in sophistication, it has never been more important to ensure that the on-premises infrastructure remains secure. This AMSI integration on SharePoint Server and Exchange Server becomes especially important when attackers attempt to exploit security vulnerabilities, particularly zero-days. With AMSI integrated, these malicious attempts are detected and blocked in real-time, offering a critical defense mechanism while organizations work on installing official patches and updates. AMSI detections are surfaced on the Microsoft Defender portal, enabling SecOps teams to investigate, correlate with other malicious activity in the environment, and remediate.

In this blog post, we discuss different types of attacks targeting Exchange and SharePoint, and demonstrate how AMSI is helping organizations protect against these attacks. We also share mitigation and protection guidance, as well as detection details and hunting queries.

AMSI integration

In both SharePoint Server and Exchange Server, AMSI is integrated as a security filter module within the IIS pipeline to inspect incoming HTTP requests before they are processed by the application. The filter is triggered at the onBeginRequest stage through the SPRequesterFilteringModule for SharePoint Server and HttpRequestFilteringModule for Exchange Server, allowing it to analyze incoming requests before they reach authentication and authorization phases. This integration ensures that potential threats are identified before they interact with internal processing, mitigating the risk of exploitation. On detecting a malicious request, the application returns a HTTP 400 Bad Request response.

Extending AMSI with request body scan

When AMSI was first integrated, it provided an important layer of defense by scanning incoming request headers. This was crucial for identifying malicious activity, particularly SSRF attempts. However, many modern attacks are now embedded within request bodies, rather than just in the headers. This meant that header-only scans were no longer enough to catch the full range of sophisticated threats.

To address this emerging risk, we added newer improvements in both products. The Exchange Server November release extended capabilities to include scanning of request bodies, ensuring broader protection. A similar improvement is added to SharePoint Server currently in public preview. These enhanced security controls are not enabled by default, making it crucial for organizations to assess for stronger protection.

Microsoft recommends evaluating and enabling these extended options for better protection and visibility. These enhancements are especially important for detecting and mitigating remote code execution vulnerabilities and particularly post-authentication vulnerabilities where SSRF may not be needed. The introduction of request body scanning is a critical step in our commitment to protect these crown jewels against more sophisticated, evasive threats. With the ability to inspect the full content of incoming requests, AMSI now detects a wider range of malicious activities.

Attacks targeting Exchange and SharePoint servers

SSRF exploitation

Server-side request forgery (SSRF) can allow attackers to make unauthorized requests on behalf of the server, potentially accessing internal services, metadata endpoints, or even escalating privileges. Attackers can exploit SSRF to bypass authentication mechanisms by leveraging internal API calls. Additionally, by chaining SSRF with additional flaws, attackers could gain unauthorized access to the backend and perform arbitrary remote code execution within the environment.

One example is CVE-2023-29357, a critical authentication bypass vulnerability in SharePoint Server. This flaw allowed attackers to bypass authentication and gain elevated privileges by exploiting improper validation of security tokens. In attacks, this was combined with another vulnerability, CVE-2023-24955, to achieve unauthenticated remote code execution on vulnerable SharePoint servers.

Another example is CVE-2022-41040, an AutoDiscover SSRF vulnerability in Exchange Server. By targeting AutoDiscover, attackers exploited the trust relationships within Exchange to impersonate users and trigger backend functionality that normally requires authentication, laying the groundwork for remote code execution.

AMSI acted as first layer of defense against these incidents, protecting customers against thousands of SSRF attempts observed on a daily basis, thereby breaking the exploitation chain.

Suspicious access indicative of web shell interaction

In many intrusions, attackers drop web shells into public-facing directories. In one such Exchange server compromise, AMSI logged a suspicious .aspx file interaction. This was highlighted by Microsoft Defender for Endpoint simply because there is no .aspx file by that name in the said folder path:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\.

Attackers often rename web shells to legitimate filenames seen in different folder to avoid suspicion. In this case, the filename getidtoken is a default shipped file but with .htm extension.

Similar stealthy activities have also been observed for SharePoint. In one case, the attackers modified the legitimate signout.aspx file by appending web shell code. This allowed attackers to create a stealthy backdoor and maintain persistence without raising suspicion.

AMSI acts as a real-time inspection and defense layer similar to a web application firewall (WAF) and plays a critical role in detecting and responding to active compromises. AMSI inspects incoming requests, captures malicious web shell interactions, and logs them for analysis. This level of visibility enables Microsoft Defender for Endpoint to pinpoint the exact location of malicious files on disk, such as within Exchange’s Outlook Web Application (OWA), where attackers commonly stage web shells. By correlating AMSI network logs with suspicious activity, Microsoft Defender for Endpoint can locate and remove previously undetected files, effectively cleaning the infected server and mitigating further damage. Importantly, this capability provides durable protection, allowing defenders to monitor and react to threats even in post-compromise scenarios.

Suspicious mailbox access through Exchange Web Services (EWS) abuse

Exchange Web Services (EWS) is a core component of Microsoft Exchange that allows programmatic access to mailboxes through SOAP-based APIs. While this is critical for legitimate operations such as Outlook integration, mobile sync, and third-party app, the service is also widely abused by threat actors. Notably, in incidents like CVE-2023-23397, EWS was used post-compromise to search mailboxes for sensitive content and exfiltrate emails over HTTPS, blending in with legitimate traffic.

Attackers leverage EWS’s deep access to perform mailbox searches, download entire inboxes, and set up hidden forwarding rules, often using stolen credentials or after gaining a foothold via another Exchange vulnerability. Attackers commonly abuse EWS APIs — GetFolder, FindItem, and GetItem — to stealthily search and exfiltrate sensitive emails from compromised mailboxes. GetFolder API maps the mailbox structure, which can be used to identify key folders like Inbox and Sent Items. FindItem API allows searching for emails containing specific keywords or supplied datetime filter to retrieve relevant results. Finally, GetItem API is used to view full email contents and attachments.

This API-driven abuse technique blends in with legitimate EWS traffic, making detection challenging without deep content inspection. AMSI addresses this with request body scanning, which enables real-time detection of suspicious search patterns, abnormal access, and targeted email theft. Below is a sequence of suspicious SOAP calls logged by AMSI when attackers attempt to exfiltrate emails.

Insecure deserialization leading to RCE

The PowerShell application pool is a privileged component that handles remote PowerShell sessions in Exchange, typically invoked by Exchange Control Panel (ECP) or Exchange Management Shell (EMS). It runs under SYSTEM or high-privileged service accounts, making it a prime target for misuse. After gaining access to backend PowerShell endpoints, attackers can pass crafted cmdlets and arguments that trigger operations such as arbitrary file writes and command execution. This method has been observed in major incidents like ProxyShell and ProxyNotShell, where attackers execute system-level commands via crafted PowerShell requests.

A common pattern seen in these attacks is the use of legitimate management cmdlets like Get-Mailbox, New-MailboxExportRequest, or Set- commands, but with crafted arguments or malicious serialization payloads that trigger code execution in the backend. AMSI now has complete visibility into all the backend PowerShell commands along with the passed arguments to inspect the request buffer for any suspicious API calls such as Process.Start, various file write APIs and Assembly.load.

Web control abuse

Exploitation of vulnerabilities like CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023 exemplify attacks that abuse Site owner privileges to execute arbitrary code on the SharePoint server. The exploitation leverages the Business Data Connectivity (BDC) feature and malicious use of the BDCMetadata.bdcm file. This XML-based file defines connections to external data sources but could be abused to reference dangerous .NET classes and methods. Once the malicious .bdcm file is uploaded and registered in SharePoint’s BDC service (using site owner permissions), the attacker can trigger execution by creating an External List or web part that interacts with the BDC model. SharePoint processes this model and reflectively loads and executes the specified method, leading to RCE as the SharePoint service account, which typically has high privileges. With body scan enabled, the complete payload is available for inspection and surfaces LobSystem type as DotNetAssembly hinting at code execution. AMSI’s deep integration enables visibility into the malicious Base64 buffer, which Microsoft Defender for Endpoint leverages to detect and block code execution attempts.

Mitigation and protection guidance

As these attacks show, SharePoint and Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive techniques. Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take:

• Activate AMSI on Exchange Server and SharePoint Server. AMSI is a versatile standard that allows applications and services to integrate with any AMSI-capable anti-malware product present on a device. Starting with SharePoint Server Subscription Edition Version 25H1, AMSI extends its scanning capabilities to include the bodies of HTTP requests. The Exchange AMSI body scanning feature was introduced with the Exchange Server November 2024 Security Update (SU). Microsoft recommends updating Exchange Server and SharePoint Server to these versions or later to take advantage of the new improved body scanning feature. This request body scan feature is critical for detecting and mitigating threats that may be embedded in request payloads, providing a more comprehensive security solution. Check prerequisites and learn how to configure AMSI in the following resources:
  • AMSI integration with Exchange Server
  • Configure AMSI integration with SharePoint Server
• Apply the latest security updates. Identify and remediate vulnerabilities or misconfigurations in Exchange and SharePoint Server. Deploy the latest security updates as soon as they become available. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.
• Keep antivirus and other protections enabled. It’s critical to protect SharePoint and Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services. If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.
• Review sensitive roles and groups. Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange/SharePoint -specific anomalies, review the list of users in sensitive roles.
• Restrict access. Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.
• Prioritize alerts. The distinctive patterns of SharePoint and Exchange server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Public facing application pools are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and powershell.exe originating from these pools or w3wp.exe in general.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats on SharePoint Server as the following malware:

• Exploit:Script/SPLobSystemRCE.A
• Exploit:Script/SPLobSystemRCE.B
• Exploit:Script/SPAuthBypass.A

Microsoft Defender Antivirus detects threats on Exchange Server as the following malware:

• Exploit:Script/SuspMailboxSearchEWS.A
• Exploit:Script/SuspExchgSession.D
• Exploit:Script/ExchgProxyRequest

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might indicate activity related to this threats discussed in this blog. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Possible web shell installation
• Possible IIS web shell
• Suspicious processes indicative of a web shell
• Possible IIS compromise
• Suspicious Exchange Process Execution 
• Possible exploitation of Exchange Server vulnerabilities

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used by the threats discussed in this blog:

CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2022-41040, CVE-2022-41082, CVE-2019-0604, CVE-2024-21413, CVE-2023-23397, CVE-2023-36563, CVE-2023-29357, CVE-2023-24955, CVE-2024-38094, CVE-2024-38024, CVE-2024-38023

Microsoft Security Exposure Management

Microsoft Security Exposure Management (MSEM) provides enhanced visibility for important assets by offering customers predefined classification logics for high-value assets. This includes both managed (Microsoft Defender for Endpoint-onboarded) and unmanaged Exchange servers.

Customers can review the device inventory and the critical classification library to identify Exchange servers and consider applying the new security settings on them.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Processes run by the IIS worker process

Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance.

DeviceProcessEvents
| where InitiatingProcessFileName == 'w3wp.exe'
| where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "SharePoint"
| where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe","wermgr.exe","WerFault.exe","TranscodingService.exe")
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Chopper web shell command line

Chopper is one of the most widespread web shells targeting SharePoint and Exchange servers. Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe" and FileName == "cmd.exe"
| where ProcessCommandLine has "&cd&echo"

Suspicious files in SharePoint or Exchange directories

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "\\FrontEnd\\HttpProxy\\" or FolderPath has "\\TEMPLATE\\LAYOUTS\\ " or FolderPath has "\\aspnet_client\\"
| where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "Sharepoint"
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:

• Exchange OAB virtual directory attribute containing potential web shell 
• Web shell activity 
• Malicious web application requests linked with Microsoft Defender for Endpoint alerts 
• Exchange IIS worker dropping web shell 
• Web shell detection
• Detect MailSniper Activity 

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI appeared first on Microsoft Security Blog.

In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware. Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment. Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.

This blog details Microsoft’s analysis of the observed CLFS exploit and related activity targeting our customers. This information is shared with our customers and industry partners to improve detection of these attacks and encourage rapid patching or other mitigations, as appropriate. A more comprehensive recommendations section, with indicators of compromise and detection details can be found at the end of the blog post.

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)

The exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel driver. Successful exploitation allows an attacker running as a standard user account to escalate privileges. The vulnerability is tracked as CVE-2025-29824 and was fixed on April 8, 2025.

Pre-exploitation activity

While Microsoft hasn’t determined the initial access vectors that led to the devices being compromised, there are some notable pre-exploitation behaviors by Storm-2460. In multiple cases, the threat actor used the certutil utility to download a file from a legitimate third-party website that was previously compromised to host the threat actor’s malware.

The downloaded file was a malicious MSBuild file, a technique described here, that carried an encrypted malware payload. Once the payload was decrypted and executed via the EnumCalendarInfoA API callback, the malware was found to be PipeMagic, which Kaspersky documented in October 2024. Researchers at ESET have also observed the use of PipeMagic in 2023 in connection with the deployment of a zero-day exploit for a Win32k vulnerability assigned CVE-2025-24983. A domain used by the PipeMagic sample was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled by Microsoft.

CLFS exploit activity

Following PipeMagic deployment, the attackers launched the CLFS exploit in memory from a dllhost.exe process.

The exploit targets a vulnerability in the CLFS kernel driver. It’s notable that the exploit first uses the NtQuerySystemInformation API to leak kernel addresses to user mode. However, beginning in Windows 11, version 24H2, access to certain System Information Classes within NtQuerySystemInformation became available only to users with SeDebugPrivilege, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows 11, version 24H2, even if the vulnerability was present.

The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.

As part of the exploitation, a CLFS BLF file with the following path is created by the exploit’s dllhost.exe process: C:\ProgramData\SkyPDF\PDUDrv.blf.

Post-exploitation activity leads to ransomware activity

Upon successful exploitation, a payload is injected into winlogon.exe. This payload then injected the Sysinternals procdump.exe tool into another dllhost.exe and ran it with the following command line:

C:\Windows\system32\dllhost.exe -accepteula -r -ma lsass.exe c:\programdata\[random letters].

Having done this, the actor was able to dump the memory of LSASS and parse it to obtain user credentials.

Then, Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a ransom note with the name !_READ_ME_REXX2_!.txt was dropped. Microsoft is tracking activity associated with this ransomware as Storm-2460.

Although we weren’t able to obtain a sample of ransomware for analysis, we’re including some notable events surrounding the activity to better help defenders:

• Two .onion domains have been seen in the !_READ_ME_REXX2_!.txt ransom notes
  • jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion which has been tied to the RansomEXX ransomware family
  • uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion
• The ransomware is launched from dllhost.exe with the command line:

--do [path_to_ransom] (for example, C:\Windows\system32\dllhost.exe --do C:\foobar)

• The file extension on the encrypted files is random per device, but the same for every file
• Some typical ransomware commands that make recovery or analysis harder are executed, including:
  • bcdedit /set {default} recoveryenabled no
  • wbadmin delete catalog -quiet
  • wevtutil cl Application
• In one observed case the actor spawned notepad.exe as SYSTEM

Mitigation and protection guidance

Microsoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460:

• Refer to our blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself for robust measures to defend against ransomware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. Ransomware attackers often identify unmanaged or legacy systems and use these blind spots to stage attacks.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
• Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
• Use advanced protection against ransomware

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats associated with this activity as the following malware:

• SilverBasket (Win64/Windows)
• MSBuildInlineTaskLoader.C (Script/Windows)
• SuspClfsAccess (Win32/Windows)

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• A process was injected with potentially malicious code
• Potential Windows DLL process injection
• Suspicious access to LSASS service
• Sensitive credential memory read
• Suspicious process injection observed
• File backups were deleted
• Ransomware behavior detected in the file system

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Search for devices having CVE-2025-29814 exposure

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-29814")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Detect CLFS BLF file creation after exploitation of CVE 2025-29824

DeviceFileEvents 
| where FolderPath has "C:\\ProgramData\\SkyPDF\\" and FileName endswith ".blf"

LSSASS process dumping activity

SecurityEvent 
  | where EventID == 4688
  | where CommandLine has("dllhost.exe -accepteula -r -ma lsass.exe") 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer

Ransomware process activity

let cmdlines = dynamic(["C:\\Windows\\system32\\dllhost.exe --do","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog -quiet","wevtutil cl Application"]);
DeviceProcessEvents 
| where ProcessCommandLine has_any (cmdlines)
| project TimeGenerated, DeviceName, ProcessCommandLine, AccountDomain, AccountName

PipeMagic and RansomEXX fansomware domains

let domains = dynamic(["aaaaabbbbbbb.eastus.cloudapp.azure.com","jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion","uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion"]);
DeviceNetworkEvents
| where RemoteUrl has_any (domains)
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Indicators of compromise

References

• https://blog.talosintelligence.com/building-bypass-with-msbuild/
• https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-pipemagic-backdoor-attacks-businesses-through-fake-chatgpt-application  
• https://x.com/ESETresearch/status/1899508656258875756

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Exploitation of CLFS zero-day leads to ransomware activity appeared first on Microsoft Security Blog.

Using Security Copilot, we were able to identify potential security issues in bootloader functionalities, focusing on filesystems due to their high vulnerability potential. This approach saved our team approximately a week’s worth of time that would have otherwise been spent manually reviewing the content. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings. This efficient process allowed us to confirm several additional vulnerabilities and extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2. We’re sharing this research as an example of the increased efficiency, streamlined workflows, and improved capabilities that AI solutions like Security Copilot can deliver for defenders, security researchers, and SOC analysts. As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI’s advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors’ attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker. The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities. Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement.

We disclosed these vulnerabilities with the GRUB2, U-boot, and Barebox maintainers and worked with the GRUB2 maintainers to contribute fixes for the discovered vulnerabilities. To address the issues, the GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025. We thank the GRUB2, U-boot, and Barebox maintainers as well as the open-source community for their quick response and collaborative efforts in addressing these issues, and we advise users to ensure their instances are up to date. We would also like to thank the RedHat support team for their assistance in disclosing these issues to manufacturers. The respective vulnerabilities are summarized in the following table:

In this blog, we detail how Secure Boot and GRUB2 function, explain how the GRUB2 vulnerabilities could have been exploited, and provide information on the vulnerabilities found in other open-source bootloaders to highlight the risks associated with unknowingly sharing vulnerable code among different open-source projects. As the boot process involves multiple components spanning different manufacturers and vendors, updates and fixes to the Secure Boot process can be particularly complex and run the risk of rendering a device unusable. As such, we are also sharing these findings with the security community to emphasize the importance of responsible disclosure and collaboration in the effort to enhance protection technologies and security across different devices and platforms.

Secure Boot and GRUB2

Before 2006, Intel-based computers booted into startup firmware code commonly known as the BIOS (Basic Input/Output System), which was responsible for hardware initialization and setup of common services to later be used by a bootloader. Ultimately, the BIOS would transfer control to a bootloader coded in real mode, which would commonly load an operating system (OS).

With time, attackers realized there is no root-of-trust verification of bootloaders by the firmware, thus began the era of bootkits, which are bootloader-based rootkits. To standardize the boot process, a unified firmware schema to replace BIOS was introduced in 2006, which is currently known as the Unified Extensible Firmware Interface (UEFI).

UEFI also helped combat bootkits, as it offers services that validate bootloaders and its own extensible modules by means of digital signatures. That protocol is known as Secure Boot and is essential to establishing a root of trust for the boot process, in which the firmware verifies UEFI drivers and OS modules with a platform key or a Key Exchange Key, and bootloaders verify the loaded operating system.

Trust is then achieved with the help of equipment manufacturers, which can sign code trusted by Secure Boot, by means of Certificate Authorities (CA). Essentially, manufacturers sign code with their private key, and their public key is signed with a root CA, commonly Microsoft’s UEFI CA. This is also essential to supporting non-Windows bootloaders such as GRUB2 (which commonly boots Linux) and allowing third party operating systems to benefit from Secure Boot. Since GRUB2 is fully open-sourced, vendors install a small program called a shim, which is signed by Microsoft’s UEFI CA and is responsible for validating the integrity of GRUB2. The shim can further consult a mechanism called Secure Boot Advanced Targeting (SBAT) for further revocation and management options as SBAT is used by the shim to provide a way to track and revoke individual software components based on metadata rather than cryptographic signatures alone.

The dangers of a GRUB2

Since bootloaders run before operating systems run, they mostly have UEFI-provided services as APIs to rely on. Therefore, bootloaders do not benefit from modern operating system security features, such as:

• No-Execute (NX): Known in Windows as Data Execution Prevention (DEP), and enforces memory page execute protections. Before the introduction of NX, attackers could override return addresses (which are maintained in-memory) and jump to arbitrary code (commonly a shellcode) that could be placed using the provided input.
• Address Space Layout Randomization (ASLR): This feature randomizes the base address of modules, which makes return address overrides and function pointer overrides highly unreliable since attackers do not know where usable code might be found.
• Safe dynamic allocators: Dynamic allocations are a favorite target for attackers, and modern operating systems harden their heap allocators with various techniques, including Safe Unlinking, type-safety, Pointer Authentication, and others.
• Stack cookies / Canaries: These are randomly generated values pushed between the return address and local variables on the stack, with the intent of detecting changes in their values before using the return address (commonly in a RET instruction).

Additionally, GRUB2 offers complex logic to implement various features, including:

• Image file parsers (PNG, TGA, and JPEG)
• Font parsing and support (PF2 file format)
• Network support (HTTP, FTP, DNS, ICMP, etc.)
• Various filesystem supportability (FAT, NTFS, EXT, JFS, HFS, ReiserFS, etc.)
• Bash-like command-line utility
• Extensible dynamic module loading capabilities

Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation. Considering the implication of defeating Secure Boot and strategically assessing the project (such as with Google’s Rule of 2), it is evident why GRUB2 may be of interest to vulnerability researchers.

Several memory corruption vulnerabilities have been uncovered in the past and are evident of the risks that we have mentioned. Noteworthy examples include:

Findings

Through a combination of static code analysis tools (such as CodeQL), fuzzing the GRUB2 emulator (grub-emu) with AFL++, manual code analysis, and using Microsoft Security Copilot, we have uncovered several vulnerabilities.

Using Security Copilot, we initially explored which functionalities in a bootloader have the most potential for vulnerabilities, with Copilot identifying network, filesystems, and cryptographic signatures as key areas of interest. Given our ongoing analysis of network vulnerabilities and the fact that cryptography is largely handled by UEFI, we decided to focus on filesystems.

Using the JFFS2 filesystem code as an example, we prompted Copilot to find all potential security issues, including exploitability analysis. Copilot identified multiple security issues, which we refined further by requesting Copilot to identify and provide the five most pressing of these issues. In our manual review of the five identified issues, we found three were false positives, one was not exploitable, and the remaining issue, which warranted our attention and further investigation, was an integer overflow vulnerability.

We used Security Copilot to successfully identify similar patterns in other GRUB2 files. Assuming the possibility of false negatives, we performed thorough validation and review of GRUB2 to avoid overlooking any issues, allowing us to confirm several additional vulnerabilities were present relating to the integer overflow.

Through this research, we have disclosed the following vulnerabilities:

Most of those vulnerabilities are simple memory corruption vulnerabilities. As an example, let us examine the JFS symbolic link resolution function:

The vulnerability is an overflow of the size variable:

• The size variable is declared as grub_size_t, which is ultimately defined as a 64-bit unsigned integer (uint64_t).
• The function grub_le_to_cpu64 converts a Little-Endian 64-bit value to the CPU’s native Endianess. Since x86-64 is already Little-Endian, it does nothing (on Big-Endian systems it reverses the byte-order of the 64-bit input value).
• Note the input data and its inode are fully attacker-controlled, since they supply the filesystem image. Therefore, size can get an arbitrary value, including the very large value 0xFFFFFFFFFFFFFFFF (which is the maximum value an unsigned 64-bit integer can get).
• The linknest checks are irrelevant for the vulnerability, but they assure the number of nested symbolic links to not exceed a limit (defined as 8).
• The size+1 calculation is an integer overflow—if size is 0xFFFFFFFFFFFFFFFF then size+1 is now 0. Note grub_malloc happily allocates a 0-byte chunk and returns it to the variable symlink.
• At this point, symlink is being written to by the function grub_jfs_read_file. The contents are arbitrarily set by the attacker, and while this function will never be able to read 0xFFFFFFFFFFFFFFFF bytes, an attacker would still be able to override important data beyond the limit of the symlink variable with an arbitrary payload.

It seems GRUB2 maintainers were aware of other types of integer overflow issues in the past and therefore introduced functions such as grub_add and grub_mul to handle addition and multiplication overflows safely. However, it seems there are quite a few places where those functions have not been considered.

The other vulnerabilities we’ve reported had similar out-of-bounds or integer overflow issues. In addition, we have reported a cryptographic side-channel attack issue, in which the function grub_crypto_memcmp does not perform its memory comparison in constant-time. The vulnerability is quite similar to one we disclosed on Netgear routers in the past.

Variant analysis and extensions to other bootloaders

After the discovery of the GRUB2 filesystem vulnerabilities and validating their exploitability, we concluded it is very likely other bootloaders might be affected by similar vulnerabilities, potentially as a result of the practice of copy-pasting filesystem parsing code between different open-source projects.

To test this hypothesis, we asked Security Copilot to find similar code in GitHub based on GRUB2’s filesystem implementations. This approach initially found many GRUB2 forks, so we continued to refine the search and manually review the results. Within those results, the U-boot and Barebox bootloaders, which are both commonly used for embedded systems, were identified as having shared code with GRUB2. Further investigation led us to identify similar vulnerabilities in both bootloaders, as detailed in the table below.

To exploit those in an embedded system context, attackers would most likely require physical access to those devices.

Enhancing security beyond Microsoft with research and threat intelligence sharing

As our research demonstrates, the discovered vulnerabilities can impact a wide range of systems and devices with varying impact. The vulnerabilities in GRUB2 can be exploited to bypass Secure Boot and allow threat actors to gain arbitrary code execution in the context of GRUB2, install stealthy bootkits and persistent malware, and compromise additional devices on the network. Additionally, there are further consequences to bypassing Secure Boot as it undermines the security mechanism designed to protect the boot process. Secure Boot bypasses can lead to threat actors loading untrusted software and malicious code during the boot process, evading detection by security solutions, and gaining full control of the system for potential widespread impact across operating systems relying on UEFI Secure Boot. While the vulnerabilities impacting U-boot and Barebox may be more difficult to exploit for threat actors by requiring physical device access, the issues still underscore the dangers of sharing susceptible code across multiple open-source projects.

This research also demonstrates the necessity of responsible vulnerability disclosure, threat intelligence sharing, and partner collaboration in addressing these issues to safeguard users against current and future threats. Given the complexity of the boot process, which involves multiple components from different manufacturers, coupled with the fact that updates to Secure Boot can run the risk of rendering a device unusable, responsible disclosure of these vulnerabilities is necessary to prevent threat actor exploitation and give teams time to effectively coordinate and collaborate on mitigation measures.

To address the discovered issues, the GRUB2 maintainers updated the vulnerable versions in SBAT while working with manufacturers to update DBX database entries as well as their shims to improve Secure Boot revocation management, particularly for bootloaders like shim that act as an intermediary between firmware Secure Boot verification and Linux distributions boot processes. In addition to deploying patches to address the vulnerabilities, the GRUB2 maintainers disabled some of the OS modules when Secure Boot is enabled to help ensure only trusted and verified code executes during the boot process, further reducing the attack surface. We would like to again thank the GRUB2 team and open-source community for their efforts in addressing these issues, as well as the U-boot and Barebox maintainers for quickly releasing fixes.

Leveraging AI like Security Copilot was invaluable in our research, saving us approximately a week’s worth of time by efficiently identifying and refining security issues in bootloader functionalities, ultimately allowing us to uncover several vulnerabilities. Identifying, disclosing, and contributing fixes for vulnerabilities, such as those mentioned in this blog post, is part of our ongoing commitment to enhance security at Microsoft and beyond. Microsoft is dedicated to improving security through research-driven protections and collaboration with customers, partners, and industry experts. Microsoft security researchers discover vulnerabilities and threats, translating this knowledge into enhanced solutions that protect users daily, and by expanding our research, we also contribute to the security of devices worldwide across all platforms.

Jonathan Bar Or

Microsoft 365 Defender Research Team

References

• https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
• https://www.cve.org/CVERecord?id=CVE-2024-56737
• https://www.cve.org/CVERecord?id=CVE-2024-56738
• https://www.cve.org/CVERecord?id=CVE-2025-0677
• https://www.cve.org/CVERecord?id=CVE-2025-0678
• https://www.cve.org/CVERecord?id=CVE-2025-0684
• https://www.cve.org/CVERecord?id=CVE-2025-0685
• https://www.cve.org/CVERecord?id=CVE-2025-0686
• https://www.cve.org/CVERecord?id=CVE-2025-0689
• https://www.cve.org/CVERecord?id=CVE-2025-0690
• https://www.cve.org/CVERecord?id=CVE-2025-1118
• https://www.cve.org/CVERecord?id=CVE-2025-1125
• https://www.cve.org/CVERecord?id=CVE-2025-26726
• https://www.cve.org/CVERecord?id=CVE-2025-26727
• https://www.cve.org/CVERecord?id=CVE-2025-26728
• https://www.cve.org/CVERecord?id=CVE-2025-26729
• https://www.cve.org/CVERecord?id=CVE-2025-26721
• https://www.cve.org/CVERecord?id=CVE-2025-26722
• https://www.cve.org/CVERecord?id=CVE-2025-26723
• https://www.cve.org/CVERecord?id=CVE-2025-26724
• https://www.cve.org/CVERecord?id=CVE-2025-26725
• https://wiki.osdev.org/BIOS
• https://wiki.osdev.org/Bootloader
• https://d3fend.mitre.org/offensive-technique/attack/T1067/
• https://wiki.osdev.org/UEFI
• https://uefi.org/sites/default/files/resources/UEFI_Plugfest_2013_-_New_Orleans_-_Microsoft_UEFI_CA.PDF
• https://www.gnu.org/software/grub/manual/grub/html_node/UEFI-secure-boot-and-shim.html
• https://github.com/rhboot/shim/blob/main/SBAT.md
• https://theapplewiki.com/wiki/Heap_Hardening
• https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md
• https://nvd.nist.gov/vuln/detail/cve-2020-10713
• https://ubuntu.com/security/CVE-2021-3695
• https://ubuntu.com/security/CVE-2021-3696
• https://ubuntu.com/security/CVE-2021-3697
• https://ubuntu.com/security/CVE-2022-28733
• https://ubuntu.com/security/CVE-2022-28734
• https://ubuntu.com/security/CVE-2022-28735
• https://nvd.nist.gov/vuln/detail/cve-2023-4692
• https://codeql.github.com/
• https://github.com/AFLplusplus/AFLplusplus
• https://wiki.osdev.org/Endianness
• https://wiki.osdev.org/X86-64
• https://www.redhat.com/en/blog/inodes-linux-filesystem
• https://cwe.mitre.org/data/definitions/190.html
• https://cwe.mitre.org/data/definitions/208.html

Learn more

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing open-source bootloaders: Finding vulnerabilities faster with AI appeared first on Microsoft Security Blog.