Critical SharePoint Vulnerability: Hackers Stealing IIS Machine Keys

Critical SharePoint Vulnerability: Hackers Stealing IIS Machine Keys

A critical vulnerability is currently being exploited in Microsoft SharePoint servers, allowing attackers to steal IIS machine keys. This can lead to significant security breaches and potential compromise of your entire SharePoint environment. This blog post will explain the vulnerability, its impact, and provide a step-by-step guide on how to mitigate it.

Hackers Exploiting SharePoint Vulnerability: Safe Yours Now

Understanding the SharePoint Deserialization Vulnerability

The vulnerability, identified as CVE-2025-53770 and CVE-2025-53771, is a remote code execution (RCE) vulnerability that arises from the deserialization of untrusted data in on-premises versions of Microsoft SharePoint Server. Attackers can exploit this vulnerability to execute arbitrary code on the server, including stealing sensitive information like the ASP.NET machine keys used by IIS.

These machine keys are crucial for encrypting and decrypting data within the SharePoint environment. If an attacker gains access to these keys, they can potentially decrypt sensitive data, impersonate users, and maintain persistent access to the SharePoint server even after patches are applied.

The Impact of Stolen IIS Machine Keys

Stealing the IIS machine keys allows attackers to:

• Decrypt sensitive data stored within SharePoint.
• Maintain persistent access to the SharePoint server.
• Impersonate users and perform actions on their behalf.
• Compromise other systems that rely on the same machine keys.

Mitigation Steps: Rotating ASP.NET Machine Keys and Restarting IIS

To mitigate this vulnerability, it is crucial to apply the latest security updates from Microsoft. However, applying the updates alone is not sufficient. You must also rotate the ASP.NET machine keys and restart IIS on all SharePoint servers.

1. Apply the latest SharePoint security updates. Download and install the updates from the Microsoft Security Response Center (MSRC).
2. Rotate the ASP.NET machine keys. Use the following PowerShell commands:
   • Open the SharePoint Management Shell as an administrator.
3. Restart IIS on all SharePoint servers. Use the following command:
   • Open a command prompt as an administrator.
4. Verify the new machine keys are in use. After restarting IIS, ensure that the SharePoint environment is functioning correctly and that the new machine keys are being used.

Run the following command:

iisreset

Run the following commands:

Update-SPMachineKey

What's Next?

After mitigating the immediate threat, it's essential to implement proactive security measures to prevent future attacks. This includes:

• Regularly applying security updates.
• Implementing strong access controls.
• Monitoring SharePoint server logs for suspicious activity.
• Using a Web Application Firewall (WAF) to protect against web-based attacks.

References

• Feature Image
• Microsoft Guidance for CVE-2025-53770
• BleepingComputer Article