CVE-2021-28474

CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict https://t.co/zFUNFkXDW8?amp=1 #CVE #ZDI #SharePoint

CVE-2021-28474: SHAREPOINT REMOTE CODE EXECUTION VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT #infosec #cybersec #security

The vuln CVE-2021-28474 has a tweet created 0 days ago and retweeted 7 times. /thezdi/status/1413190321878470665 #Sz6yub6yphr75g

Top story: Zero Day Initiative — CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict https://t.co/xtv7rxceXc?amp=1, see more https://t.co/ko9xA6j4Lb?amp=1

CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict https://t.co/XI5eKmbJpw?amp=1 #SharePoint #CVE #RCE #Infosec

Zero Day Initiative — CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict

Zero Day Initiative — CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict

CVE-2021-28474: #SharePoint #RCE via Server-Side Control Interpretation Conflict

Zero Day Initiative - CVE-2021-28474: SharePoint Remote Code Execut... (Zero Day Initiative) In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code executio... Add your highlights: https://t.co/swkkXi93J8?amp=1 #infosec #informati...

rst_cloud

#threatreport #MediumCompleteness SharePoint 0-day uncovered (CVE-2025-53770) | 19-07-2025 Source: https://t.co/Yo5h5GuSCi Key details below ↓ Threats: Toolshell_vuln, Sharpyshell, Ysoserial_tool, Geo: Berlin CVEs: CVE-2025-49706 \[[Vulners](https://t.co/Qjp9KKaTAZ)] - CVSS V3.1: *6.3*, - Vulners: Exploitation: Unknown Soft: - microsoft sharepoint_enterprise_server (2016) - microsoft sharepoint_server (<16.0.18526.20424, 2019) CVE-2025-53770 \[[Vulners](https://t.co/31MMkNQ5vW)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-49704 \[[Vulners](https://t.co/rx0kAkNx6v)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - microsoft sharepoint_server (2016, 2019) CVE-2025-53771 \[[Vulners](https://t.co/Coz7lO3eeG)] - CVSS V3.1: *6.3*, - Vulners: Exploitation: Unknown CVE-2021-28474 \[[Vulners](https://t.co/u1zbrtRZlN)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - microsoft sharepoint_foundation (2013) - microsoft sharepoint_server (2016, 2019) LLM extracted TTPs:` T1005, T1059.006, T1071.001, T1078, T1190, T1505.003, T1546.008, T1552.002, T1556.003, T1559.001, ... IOCs: - File: 13 - Command: 1 - Hash: 1 - Coin: 1 - IP: 4 Software: ADFS, SharePoint server, Azure AD, https://t.co/K92rFFOopr, curl, SharePoint server https://t.co/K92rFFOopr, Outlook Algorithms: base64, sha256 Functions: Set-Content, GetType, GetMethod Programming Languages: powershell Platforms: x64 #threatreport: On July 18, 2025, a significant exploitation of newly discovered remote code execution (RCE) vulnerabilities in SharePoint on-premises servers was initiated, identified by Eye Security and later classified by Microsoft as CVE-2025-53770 and CVE-2025-53771. The exploitation method was discovered through a suspicious process chain alert related to an uploaded malicious .aspx file, which pointed to an unauthenticated remote code execution vulnerability rather than a credential-based attack. The affected SharePoint server utilized hybrid ADFS and was improperly configured, creating a window for exploitation. Investigations revealed that this zero-day vulnerability stemmed from a chain of previously identified bugs demonstrated by Code White GmbH, broken down into two specific vulnerabilities presented at Pwn2Own Berlin: CVE-2025-49706 and CVE-2025-49704. The exploit, dubbed ToolShell, allowed attackers to extract cryptographic secret keys from the SharePoint server through a specially crafted file (spinstall0.aspx) that did not function as a typical web shell but instead invoked internal .NET methods to access sensitive data. The ToolShell exploit capitalizes on SharePoint’s handling of deserialized data via the __VIEWSTATE parameter, which allows attackers to create maliciously signed payloads after obtaining the ValidationKey—a critical piece of data necessary for authenticating user requests. By leaking this key, attackers can generate valid tokens that enable RCE without relying on stolen credentials, effectively bypassing authentication mechanisms such as MFA or SSO. This approach echoes vulnerabilities identified earlier in CVE-2021-28474 but packaged into a contemporary exploit chain with improved stealth and persistence. In response to these findings, Microsoft acknowledged the vulnerability's active exploitation in the wild and has begun providing patches for some SharePoint versions. However, it is emphasized that merely applying patches is insufficient; administrators must also rotate cryptographic keys used by SharePoint servers to fully mitigate potential threats, as compromised keys could allow attackers to continue their operations even post-patching. Given the urgent nature of this vulnerability, defenders are urged to act immediately, implementing remediation steps and validating their systems against this ongoing risk. The attack focused specifically on extracting https://t.co/K92rFFOopr machine keys, which can facilitate continued unauthorized access to the SharePoint environment and create opportunities for lateral movement throughout the network, potentially compromising interconnected services like Outlook, Teams, and OneDrive.