Microsoft SharePoint Vulnerabilities Exploitation and Ransomware Escalation(CVE-2025-53770 and CVE-2025-53771)

The user's query accurately captures an escalating threat landscape involving two critical vulnerabilities in on-premises Microsoft SharePoint Server: CVE-2025-53770 (deserialization of untrusted data leading to remote code execution, CVSS 9.8) and CVE-2025-53771 (path traversal spoofing, CVSS 6.5). Initially exploited for espionage and backdoor deployment (e.g., ToolShell webshell), attacks have escalated to ransomware deployment as of July 18, 2025, primarily by the China-based threat actor Storm-2603 using Warlock ransomware. Microsoft confirmed active exploitation starting as early as July 7, 2025, affecting global organizations, including government and critical infrastructure. While SharePoint Online (Microsoft 365) is unaffected, on-premises instances remain at high risk if unpatched. A detailed remediation guide was released by Microsoft and echoed by agencies like CISA and Singapore's CSA, emphasizing immediate patching, key rotation, and AMSI enablement. No widespread classified data loss reported, but disruptions and ransomware infections have impacted sectors like energy and finance.Key facts from reports:

• Vulnerability Details: CVE-2025-53770 enables unauthenticated RCE via deserialization flaws, often chained with CVE-2025-53771 (spoofing/path traversal) to bypass patches and steal MachineKeys for persistent access. These are variants/bypasses of earlier flaws (CVE-2025-49704, CVE-2025-49706). Exploitation involves uploading malicious .aspx files (e.g., spinstall0.aspx) to deploy webshells.
• Exploitation Timeline: Attacks began July 7, 2025; Microsoft issued emergency patches on July 19. Initial actors: Chinese nation-state groups Linen Typhoon (APT5) and Violet Typhoon (APT18) for espionage. Escalation: Storm-2603 deployed Warlock ransomware starting July 18 via modified Group Policy Objects (GPOs). "Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities."
• Impact and Targets: Over 85-100 organizations breached globally (underreporting likely), including U.S. NNSA, energy, telecom, healthcare. Ransomware adds financial/extortion risks beyond initial data exposure. No classified data lost, but sensitive infrastructure compromised.
• Response and Mitigations: Microsoft released out-of-band patches (e.g., KB5002754 for 2019); CISA added to KEV catalog July 20, mandating federal patching by August 10. Remediation guide: Apply patches, enable AMSI/Defender, rotate MachineKeys via PowerShell (Set-SPMachineKey), restart IIS, hunt for IOCs like spinstall0.aspx (hash: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514). If unpatched, isolate servers. "Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771."

This escalation from espionage to ransomware highlights evolving threats in legacy on-premises systems. For full remediation scripts or IOC lists, refer to Microsoft/CISA resources or provide more specifics!