Platform
- Data Security Cloud
  Data Security Cloud
  Fully managed data security across enterprise, cloud, SaaS, and end user.
- Data Protection
  Data Protection
  Modernize data protection to reduce costs and complexity
- Cyber Response & Recovery
  Cyber Response & Recovery
  Bounce back from cyber attacks with data that is always safe and ready.
- eDiscovery & Compliance
  eDiscovery & Compliance
  Secure, protect, and streamline data governance.
- DruAI
  DruAI
  Free up your IT and Security team's bandwidth with Agentic AI
  - DruAI Agents
  - Dru Metagraph
Solutions
- Modernize Data Protection
- Accelerate Cyber Resilience
- Key Technologies
  - Public Cloud
    AWS
    
    Amazon EC2
    
    Amazon RDS
    
    Amazon S3
  - Druva for Microsoft
    Microsoft & Azure
    
    Azure VM
    
    Azure SQL
    
    Azure Blob
    
    Azure Files
    
    Microsoft 365
    
    Microsoft 365 Backup Express
    
    Microsoft Dynamics 365
    
    Microsoft Entra ID
    
    Microsoft SQL
  - Endpoint and SaaS Apps
    Google Workspace
    
    Salesforce
    
    Endpoints
  - Hybrid Workloads
    VMware
    
    Hyper-V
    
    Nutanix
  - Enterprise Workloads
    SAP HANA
    
    Oracle
    
    NAS/files
- Take a Tour
Customers
- Explore All Customer Stories
  See how leading enterprises use Druva’s cloud-native SaaS platform for data security, ransomware recovery, & cyber resilience with real customer success stories.
- Ransomware recovery ready
  Learn why Medallia chose Druva
  
  SaaS data protection across the enterprise
  See why Regeneron partnered with Druva
Resources
- 2025 Gartner® Magic Quadrant™ for Data Protection Platforms
  See why Druva was named a Leader
  
  Druva vs. Veeam TCO Calculator
  Find the hidden costs of legacy backup
Partners
- Alliances
  - AWS
  - Dell
  - Microsoft
- Value Added Resellers
  - Partner+ Program
  - Partner Academy
- Partner Login
  - Partner Portal
  - Managed Service Center
- Ecosystem
  - Security Integrations
  - Technology Partners
- Managed Service Providers
- Become a Partner
Company
- - Company
  - Leadership
  - Investors
  - Careers
  - Contact Us
  - Newsroom
  - Awards
  - Events
  - Blog
  - Inclusion
- Get in touch with us
  Contact Us
  
  News, product innovations, and more
  Blog
Get Started
Search queries sent to third parties.
Support
Login
Language
- English
- Deutsch

News/Trends, Threat Research

Security Advisory: Addressing Critical SharePoint Vulnerabilities with Druva

July 25, 2025 Nihar Deshpande, Senior Staff Security Researcher

Recent disclosures from the Microsoft Security Response Center (MSRC) highlight the persistent and escalating threat of sophisticated attacks. Druva is issuing this advisory to inform our customers about critical vulnerabilities impacting on-premises SharePoint Servers and to detail how Druva's robust cyber resilience platform, powered by curated threat intelligence, helps you protect your data and accelerate recovery.

High-Level Summary of MSRC Blog: Active Exploitation of SharePoint Vulnerabilities

The Microsoft Security Response Center (MSRC) blog, updated July 23, 2025, details active exploitation of multiple critical vulnerabilities in on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016). These vulnerabilities, CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution), along with newly disclosed related vulnerabilities CVE-2025-53770 and CVE-2025-53771, are being actively exploited. It's crucial to note that SharePoint Online in Microsoft 365 is not affected.

Microsoft has observed multiple threat actors, including Chinese nation-state actors Linen Typhoon and Violet Typhoon, actively exploiting these vulnerabilities to gain initial access, steal intellectual property, and conduct espionage. More alarmingly, Storm-2603, another China-based threat actor, has been observed leveraging these exploits to deploy Warlock ransomware.

The attack chain typically involves:

Initial Access: Exploiting the SharePoint vulnerabilities via crafted POST requests to the ToolPane endpoint, leading to the deployment of web shells like spinstall0.aspx.
Post-Exploitation: Using the web shell to conduct command execution (often via w3wp.exe), enumerate user contexts, disable security protections (e.g., Microsoft Defender via registry modifications), and establish persistence through scheduled tasks and malicious IIS assemblies.
Action on Objectives: Employing tools like Mimikatz for credential access (LSASS memory dumping), PsExec and Impacket for lateral movement, and ultimately modifying Group Policy Objects (GPOs) to distribute ransomware.

Microsoft strongly urges organizations to apply the latest security updates immediately, enable Antimalware Scan Interface (AMSI) with Full Mode, deploy Microsoft Defender Antivirus/Endpoint, rotate SharePoint Server ASP.NET machine keys, and restart IIS.

Druva's Cyber Resilience: Protecting Your SharePoint Data

At Druva, we understand the critical importance of protecting your sensitive SharePoint data. Our cyber resilience platform is designed to provide comprehensive data protection and rapid recovery, aligning directly with the threats outlined in the MSRC advisory. We continuously curate and update our threat intelligence to proactively identify and mitigate risks.

Druva's Curated IOC Set (Threat Intelligence)

Druva's threat intelligence team has released a new Indicators of Compromise (IOCs) Set (SharePoint / ToolShell) provided by MSRC, including:

File Hashes (SHA-256) of observed web shells and malicious tools:
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx and variants)
- 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf (web shell)
- Various hashes associated with IIS_Server_dll.dll (Storm-2603 IIS Backdoor)
- d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d (SharpHostInfo.x64.exe)
- 62881359e75c9e8899c4bc9f452ef9743e68ce467f8b3e4398bebacde9550dea (xd.exe)

These curated IOCs are continuously updated and integrated into Druva's platform, empowering our features to provide advanced threat detection and secure recovery.

How Druva Features Utilize These IOCs

Druva leverages these curated IOCs across various features to enhance your data protection and recovery posture:

Druva Curated Snapshot: Our intelligent snapshot technology, combined with our threat intelligence, plays a crucial role. Before creating a snapshot, Druva can perform pre-scan checks against the latest IOCs. This helps to identify and potentially flag suspicious activity or known malicious files before they are included in a snapshot, ensuring the integrity of your backup copies. This pre-scan adds an extra layer of confidence in the cleanliness of your backups.
Druva Restore Scan: This is where Druva truly shines in the face of a ransomware attack like the Warlock deployment observed by MSRC. Before any data is restored, Druva's Restore Scan actively scans your backup data against our continuously updated threat intelligence, including all the hashes, filenames, and patterns associated with the SharePoint vulnerabilities and subsequent ransomware. If malicious files or patterns are detected, you'll be alerted, allowing you to:
- Quarantine suspected files: Prevent the reintroduction of infected data into your primary environment.
- Select a clean recovery point: Druva allows you to easily browse through multiple historical recovery points, helping you pinpoint a "last known good" state before the compromise occurred, significantly reducing recovery time and minimizing data loss.
- Granular recovery: Restore only the clean, uninfected data, leaving behind any malicious artifacts.

Call to Action for Druva Customers

While Druva provides robust data protection, it's essential to complement this with proactive security measures within your SharePoint environment:

1. Prioritize Patching: Immediately apply the latest security updates released by Microsoft for all supported on-premises SharePoint Server versions. This is the most critical first step to prevent exploitation.

2. Harden SharePoint Servers: Implement Microsoft's recommendations:

Ensure AMSI is enabled in Full Mode and integrated with your Antivirus solution (e.g., Microsoft Defender Antivirus).
Deploy Microsoft Defender for Endpoint or an equivalent EDR solution.
Rotate SharePoint Server ASP.NET machine keys and restart IIS on all SharePoint servers.

3. Implement Incident Response Plan: Review and test your incident response plan to ensure you can effectively respond to a potential breach, including utilizing Druva's recovery capabilities.

4. Leverage Druva's Capabilities:

Regularly verify your Druva backup jobs are completing successfully.
Familiarize yourself with Druva Restore Scan to understand its capabilities for identifying and preventing the reintroduction of malicious files.
Ensure anomaly detection is configured and alerts are monitored.

The threat of ransomware and targeted attacks on critical infrastructure like SharePoint is real and evolving. By combining Microsoft's recommended mitigations with Druva's advanced cyber resilience platform, you can significantly enhance your organization's ability to withstand and recover from even the most sophisticated attacks.

Have questions about how Druva can further strengthen your defense against these threats? Reach out to your Druva account representative or our support team for guidance.

Security Advisory: Addressing Critical SharePoint Vulnerabilities with Druva

High-Level Summary of MSRC Blog: Active Exploitation of SharePoint Vulnerabilities

Druva's Cyber Resilience: Protecting Your SharePoint Data

Druva's Curated IOC Set (Threat Intelligence)

How Druva Features Utilize These IOCs

Call to Action for Druva Customers

Druva Blog: Cloud Technology & Data Protection Articles

Druva Data Security Cloud

The Druva Platform

Data Protection

Cyber Response & Recovery

eDiscovery & Compliance

Modernize Data Protection

Accelerate Data Security

Key Technologies

Customers

Resources

Partners

Company