Author: itwadmin-security

 ​Note: This Alert may be updated to reflect new guidance issued by CISA or other parties. 

CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service. 

While Microsoft has stated there is no observed exploitation as of the time of this alert’s publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.  

If using Exchange hybrid, review Microsoft’s guidance Exchange Server Security Changes for Hybrid Deployments to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU). 

Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft’s configuration instructions Deploy dedicated Exchange hybrid app.  

For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft’s Service Principal Clean-Up Mode for guidance on resetting the service principal’s keyCredentials.  

Upon completion, run the Microsoft Exchange Health Checker to determine if further steps are required.  

CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use.   

Organizations should review Microsoft’s blog Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions for additional guidance as it becomes available. 

Disclaimer:   

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.   

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties. 

 Read More

 ​CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:

CVE-2025-49704 [CWE-94: Code Injection],
CVE-2025-49706 [CWE-287: Improper Authentication],
CVE-2025-53770 [CWE-502: Deserialization of Untrusted Data], and
CVE-2025-53771 [CWE-287: Improper Authentication]

Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as “ToolShell”) to gain unauthorized access to on-premises SharePoint servers. CISA analyzed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.  
CISA added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities Catalog on July 22, 2025, and CVE-2025-53770 on July 20, 2025.
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this MAR to identify malware.
Downloadable copy of IOCs associated with this malware:

MAR-251132.c1.v1.CLEAR_stix2
(JSON, 84.95 KB
)

Downloadable copies of the SIGMA rule associated with this malware:

CMA SIGMA 251132 1
(YAML, 4.22 KB
)

CMA SIGMA 251132 2
(YAML, 2.86 KB
)

CMA SIGMA 251132
(YAML, 5.55 KB
)

For more information on the malware files and YARA rules for detection, see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.
Disclaimer:  
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  

CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:

• CVE-2025-49704 [CWE-94: Code Injection],
• CVE-2025-49706 [CWE-287: Improper Authentication],
• CVE-2025-53770 [CWE-502: Deserialization of Untrusted Data], and
• CVE-2025-53771 [CWE-287: Improper Authentication]

Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as “ToolShell”) to gain unauthorized access to on-premises SharePoint servers. CISA analyzed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.  

CISA added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities Catalog on July 22, 2025, and CVE-2025-53770 on July 20, 2025.

CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this MAR to identify malware.

Downloadable copy of IOCs associated with this malware:

Downloadable copies of the SIGMA rule associated with this malware:

For more information on the malware files and YARA rules for detection, see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.

Disclaimer:  

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

 Read More

 ​Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:CLEAR–Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description
CISA received six files related to Microsoft SharePoint vulnerabilities: CVE-2025-49704 [CWE-94: Code Injection], CVE-2025-49706 [CWE-287: Improper Authentication], CVE-2025-53770 [CWE-502: Deserialization of Trusted Data], and CVE-2025-53771 [CWE-287: Improper Authentication]. According to Microsoft, cyber threat actors have chained CVE-2025-49706 (a network spoofing vulnerability) and CVE-2025-49704 (a remote code execution (RCE) vulnerability) in an exploit chain known as “ToolShell” to gain unauthorized access to on-premise SharePoint servers. Microsoft has not confirmed exploitation of CVE-2025-53771; however, CISA assesses exploitation is likely because it can be chained with CVE-2025-53770 to bypass previously disclosed vulnerabilities CVE-2025-49704 and CVE-2025-49706. The analysis includes two Base64 encoded .NET Dynamic-link Library (DLL) binaries and four Active Server Page Extended [ASPX] files. The decoded DLLs are designed to retrieve machine key settings within an ASP[.]NET application’s configuration and add the retrieved machine key values to the Hypertext Transfer Protocol (HTTP) response header. The first ASPX file is used to retrieve and output machine key information from an ASP[.]NET application’s configuration. The next ASPX file contains a command-line instruction used to execute a PowerShell command. The PowerShell command is designed to Base64 decode and install a malicious ASPX webshell on disk. The webshell is used to handle various web-related operations, including setting and retrieving HTTP cookies, command execution and uploading files. The remaining two ASPX webshells are used to execute a command using PowerShell on the server. CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify malware samples. For more information on these CVEs, see CISA Alert Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities.
Download the PDF version of this report:

MAR-251132.c1.v1
(PDF, 2.03 MB
)

For a downloadable copy of IOCs associated with this MAR, see:

MAR-251132.c1.v1.CLEAR_stix2
(JSON, 84.95 KB
)

For a downloadable copy of the SIGMA rules associated with this MAR, see version in .pdf or .yaml format: 

CMA_SIGMA_251132_CVE_2025_53770_ToolShell_IOCs
(PDF, 42.50 KB
)

CMA SIGMA 251132
(YAML, 5.55 KB
)

CMA_SIGMA_251132_1_CVE_2025_53770_ToolShell
(PDF, 41.03 KB
)

CMA SIGMA 251132 1
(YAML, 4.22 KB
)

CMA_SIGMA_251132_2_CVE_2025_53770_ToolShell
(PDF, 39.79 KB
)

CMA SIGMA 251132 2
(YAML, 2.86 KB
)

Submitted Files (6)
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 (osvmhdfl.dll)
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 (stage3.txt)
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 (info3.aspx)
d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170 (spinstallp.aspx)
d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00 (spinstallb.aspx)
Additional Files (2)
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc (info3.aspx)
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 (bjcloiyq.dll)

Findings

60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7
Details

Name
stage3.txt

Size
15893 bytes

Type
ASCII text, with very long lines

MD5
921ac86b258fa9ea3da4c39462bad782

SHA1
b8662c8cc9e383b4a0ac980e0fd94941fe12c31d

SHA256
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7

SHA512
6fd128a33e432d8fd5ea5dcf419a0b90f09648d7b4b95ceb6a5634fc01d8e0613d6d231bc038e2796f6a4d8fc277ebbea7b90ab773c0020dd2ad67149e52e4ff

ssdeep
384:AQG6NVJiZbXhKth3s0bA2rhvhundOXz5D:AQG6NVJmbX0h3zs21vsndO

Entropy
4.902435

Antivirus
No matches found.
YARA Rules

rule CISA_251132_01 : steals_authentication_credentials exfiltrates_data{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250724_721”       actor = “n/a”       family = “n/a”       capabilities = “steals-authentication-credentials exfiltrates-data”       malware_type = “unknown”       tool_type = “unknown”       description = “Detects Encoded .Net DLL samples”       sha256_1 = “60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7”   strings:       $s0 = { 4E 62 32 52 6C 41 46 4E 30 63 6D 6C 75 5A 77 42 44 62 32 35 6A 59 58 51 }       $s1 = { 41 45 41 55 77 42 30 41 48 49 41 61 51 42 75 41 47 63 41 52 67 42 70 41 }       $s2 = { 59 58 52 76 63 6D 41 79 57 31 74 54 65 58 4E 30 5A 57 30 75 51 6E 6C 30 }       $s3 = { 4A 7A 61 57 39 75 50 54 51 75 4D 43 34 77 4C 6A 41 73 49 45 4E 31 62 48 }       $s4 = { 43 42 57 5A 58 4A 7A 61 57 39 75 50 54 51 75 4D 43 34 77 4C 6A 41 73 49 }       $s5 = { 4D 54 6B 7A 4E 47 55 77 4F 44 6C 64 58 53 42 48 5A 58 52 46 62 6E 56 74 }       $s6 = { 5A 58 4A 68 64 47 39 79 4B 43 6B 49 41 41 41 41 43 67 46 }       $s7 = { 54 65 58 4E 30 5A 57 30 75 52 6E 56 75 59 32 41 79 57 31 }       $s8 = { 74 54 65 58 4E 30 5A 57 30 75 51 32 39 73 62 47 56 6A 64 47 6C 76 62 6E 4D 75 52 }   condition:       all of them} 

SIGMA Rule
## CISA Code & Media Analysis ##                            ############ README ############### ## Edit rules and queries as needed for your hunt and based on your environment. ## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query. ## Do not edit “logsource-product:” unless you are editing this rule to meet specific logsources/fields and know your environment. ## TLP GREEN + Please use local installation of Sigma to convert this rule. ## TLP CLEAR may convert rules using online converter of choice.                            ################################### title: Detects ToolShell CVE-2025-53770 Exploitation IOCs and Activity incident: 251133.r1 tlp: CLEAR id: aba8967f-6613-47a8-87d1-e5d7aae31e9b status: test description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Previous related CVEs are CVE-2025-49706 and CVE-2025-49704. CVE-2025-53770 is new and stealthy webshell called SharpyShell, that extracts and leaks cryptographic secrets from the SharePoint server using a simple GET request. references:    – https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770    – https://research.eye.security/sharepoint-under-siege/    – https://x.com/codewhitesec/status/1944743478350557232/photo/1    – 251132.r1 author: CISA Code & Media Analysis date: 2025-07-21 modified: 2025-07-22 tags:    – cve.2025.53770 logsource:    product: cma detection:    keywords:        – ’92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514′                – ‘107.191.58.76’        – ‘104.238.159.149’        – ‘96.9.125.147’        – ‘Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 /_layouts/SignOut.aspx’        – ‘-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0’        – ‘TEMPLATELAYOUTSspinstall0.aspx’                – ‘/_layouts/15/ToolPane.aspx DisplayMode=Edit’        – ‘/_layouts/15/spinstall0.aspx’        – ‘spinstall’        – ‘yoserial’    keywords_1:        – ‘POST’        – ‘GET’    keywords_2:        – ‘/_layouts/15/ToolPane.aspx’    keywords_3:        – ‘DisplayMode=Edit’    keywords_4:        – ‘POST’        – ‘GET’        – ‘curl’                  keywords_5:        – ‘/_layouts/’        – ‘layouts’      keywords_6:        – ‘ToolPane.aspx’        – ‘SignOut.aspx’        – ‘spinstall’        – ‘info3.aspx’    keywords_7:        – ‘HTTP’    keywords_8:        – ‘X-TXT-NET’    keywords_9:        – ‘.exe’    keywords_10:        – ‘-ap’    keywords_11:        – ‘SharePoint’    keywords_12:        – ‘8080’    keywords_13:        – ‘.dll’    keywords_14:        – ‘pipe’    keywords_15:        – ‘inetpub’    keywords_16:        – ‘config’    keywords_17:        – ‘ysoserial’    keywords_18:        – ‘ViewState’    keywords_19:        – ‘TypeConfuseDelegate’    keywords_20:        – ‘powershell’    keywords_21:        – ‘-EncodedCommand’    keywords_22:        – ‘BiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0’        – ‘base64String=’    keywords_23:        – ‘BkAGUAYwBvAGQAZQBk’        – ‘decoded’    keywords_24:        – ‘BGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBn’        – ‘FromBase64String’    keywords_25:        – ‘cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHg’        – ‘AuAGEAcwBwAHg’        – ‘spinstall0.aspx’        – ‘.aspx’    keywords_26:        – ‘V3JpdGUoY2cuVm’    keywords_27:        – ‘bisifCIrY2cuRG’        keywords_28:        – ‘mFsaW’    condition: keywords or keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 or keywords_9 and keywords_10 and keywords_11 and keywords_12 and keywords_13 and keywords_14 and keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19 and keywords_20 and keywords_21 or keywords_22 and keywords_23 and keywords_24 and keywords_25 or keywords_26 and keywords_27 and keywords_28 falsepositives:    – Rate of FP moderate with some strings.    – Use this rule in an infected environment/logs.    – Analyst may need to make adjustments to the query as required. level: critical
ssdeep Matches
No matches found.
Relationships

60a37499f9…
Contains
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72

Description
This artifact is a data file containing the Base64 encoded .NET DLL “bjcloiyq.dll” (bee94b93c1…).
Screenshots

Figure 1 – Screenshot of a snippet of the data file.

bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72
Details

Name
bjcloiyq.dll

Size
10813 bytes

Type
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

MD5
0e36ecda6fc4b5661f9a181984a53bb5

SHA1
3a438b239d8451b8e12e9cdd3c24d1240dd758c9

SHA256
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72

SHA512
033f215fde36025a7ce434daddb70304d1e56f2dd2600e18a44d0af825a348fda388ee8fb1d684c2cdd006cdf042005bb26ab67cdf6c5eaac331650ea0ab9422

ssdeep
192:fJhh81DzgDZnSxPKgL6YBAxmrFMxmrFARmrF9RmrFj4U0QiKpM9aMg3AxmrFaxmi:xhh81Dz4pSxPKg2YBAxeFMxeFAReF9RL

Entropy
4.986214

Antivirus
No matches found.
YARA Rules

rule CISA_251132_02 : steals_authentication_credentials exfiltrates_data{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250724_721”       actor = “n/a”       family = “n/a”       capabilities = “steals-authentication-credentials exfiltrates-data”       malware_type = “unknown”       tool_type = “unknown”       description = “Detects .Net DLL payload samples”       sha256_1 = “bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72”   strings:       $s0 = { 62 6A 63 6C 6F 69 79 71 2E 64 6C 6C }       $s1 = { 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E 00 54 79 70 65 }       $s2 = { 67 65 74 5F 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 }       $s3 = { 67 65 74 5F 43 75 72 72 65 6E 74 00 48 74 74 70 52 65 73 70 6F 6E 73 65 }       $s4 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 }       $s5 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E }       $s6 = { 53 79 73 74 65 6D 2E 57 65 62 2E 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E }   condition:       all of them} 

SIGMA Rule
## CISA Code & Media Analysis ##                            ############ README ############### ## Edit rules and queries as needed for your hunt and based on your environment. ## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query. ## Do not edit “logsource-product:” unless you are editing this rule to meet specific logsources/fields and know your environment. ## TLP GREEN + Please use local installation of Sigma to convert this rule. ## TLP CLEAR may convert rules using online converter of choice.                            ################################### title: Detects CVE-2025-53770 IOCs and Activity Based on Submitted Files 251132.r2 incident: 251133.r2 tlp: CLEAR id: a9327942-4cf7-48e4-9ea4-ad0b54db4bf7 status: test description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Detects IOCs and Activity Based on Submitted Files 251132.r2. references:    – 251132.r2 author: CISA Code & Media Analysis date: 2025-07-23 modified: 2025-07-23 tags:    – cve.2025.53770 logsource:    product: cma detection:    keywords_1:        – ‘CVAUGFnZSBMYW5ndWFnZT0i’        – ‘%@Page Language=”‘    keywords_2:        – ‘Jwb3dlcnNoZWxsLmV4ZS’        – ‘powershell.exe’    keywords_3:        – ‘ItZW5j’        – ‘-enc’        – ‘LUVuY29kZWRDb21tYW5k’        – ‘-EncodedCommand’    keywords_4:        – ‘0Jhc2U2NFN0cmluZy’        – ‘Base64String’    keywords_5:        – ‘FJlcXVlc3QuRm9ybV’        – ‘Request.Form’    keywords_6:        – ‘sicCJ’        – ‘”p”‘    keywords_7:        – ‘*.exe’    keywords_8:        – ‘powershell*’    keywords_9:        – ‘-Command’    keywords_10:        – ‘Get-ChildItem’        – ‘ForEach-Object’    keywords_11:        – ‘*TEMPLATELAYOUTS*’    keywords_12:        – ‘*.exe’    keywords_13:        – ‘certutil*’    keywords_14:        – ‘-decode’    keywords_15:        – ‘c:progra~1common~1micros~1webser~116templatelayoutsowaresources*’        – ‘c:progra~1common~1micros~1webser~116templatelayouts*’        – ‘templatelayouts*’        – ‘templatelayoutsowa*’    keywords_16:        – ‘*.aspx’        – ‘*.txt’    keywords_17:        – ‘*TEMPLATELAYOUTS*’    keywords_18:        – ‘spinstall*’    keywords_19:        – ‘*.aspx’    condition: keywords_1 and keywords_2 and keywords_3 and keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 and keywords_9 and keywords_10 and keywords_11 or keywords_12 and keywords_13 and keywords_14 or keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19 falsepositives:    – Rate of FP low-moderate with some strings.    – Use this rule in an infected environment/logs.    – Analyst may need to make adjustments to the query as required. level: critical
ssdeep Matches
No matches found.
PE Metadata

Compile Date
2025-07-18 03:25:36+00:00

Import Hash
dae02f32a21e03ce65412f6e56942daa

File Description
 

Internal Name
bjcloiyq.dll

Legal Copyright
 

Original Filename
bjcloiyq.dll

Product Version
0.0.0.0

PE Sections

MD5
Name
Raw Size
Entropy

93185bd1019bd277eef9815a17f1d074
header
512
2.540889

f7cb6b7293c5082045ba423cab20a758
.text
2048
4.519674

b73c90a61195ef7457efab9d898490d9
.rsrc
1024
2.172802

039675253cb6c73f5458348295ff2f28
.reloc
512
0.081539

Packers/Compilers/Cryptors

Microsoft Visual C# / Basic .NET

Relationships

bee94b93c1…
Contained_Within
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7

Description
This artifact is a 64-bit .NET DLL that contains a class named “E” (Figure 2) used to extract and concatenate machine key configuration settings within an ASP[.]NET application’s configuration. The file uses reflection to access the “MachineKeySection” from the “System.Web” assembly, which contains cryptographic keys used for validation and decryption in ASP[.]NET. The file uses reflection to get and invoke the “GetApplicationConfig” method of the “MachineKeySection” class to retrieve the “machineKey” configuration, which holds the actual key values. The file constructs a string containing the “ValidationKey”, “Validation”, “DecryptionKey”, “Decryption”, and “CompatibilityMode” properties of the “machineKeySection” and adds it as a custom header named “X-TXT-NET” to the HTTP response.
Screenshots

Figure 2 – Screenshot of the decompiled .NET assembly within a class named “E” used to extract the machine key configuration.

3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997
Details

Name
osvmhdfl.dll

Size
13373 bytes

Type
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

MD5
40e609840ef3f7fea94d53998ec9f97f

SHA1
141af6bcefdcf6b627425b5b2e02342c081e8d36

SHA256
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997

SHA512
deaed6b7657cc17261ae72ebc0459f8a558baf7b724df04d8821c7a5355e037a05c991433e48d36a5967ae002459358678873240e252cdea4dcbcd89218ce5c2

ssdeep
384:cMQLQ5VU1DcZugg2YBAxeFMxeFAReF9ReFj4U0QiKy8Mg3AxeFaxeFAReFLxTYma:ElHh1gtX10u5A

Entropy
4.966672

Antivirus
No matches found.
YARA Rules

rule CISA_251132_08 : steals_authentication_credentials exfiltrates_data{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250725_712”       actor = “n/a”       family = “n/a”       capabilities = “steals-authentication-credentials exfiltrates-data”       malware_type = “unknown”       tool_type = “unknown”       description = “Detects .Net DLL payload samples”       sha256_1 = “3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997”   strings:       $s0 = { 47 65 74 4C 6F 67 69 63 61 6C 44 72 69 76 65 73 }       $s1 = { 67 65 74 5F 4D 61 63 68 69 6E 65 4E 61 6D 65 }       $s2 = { 67 65 74 5F 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 }       $s3 = { 67 65 74 5F 43 75 72 72 65 6E 74 44 69 72 65 63 74 6F 72 79 }       $s4 = { 67 65 74 5F 50 72 6F 63 65 73 73 6F 72 43 6F 75 6E 74 }       $s5 = { 67 65 74 5F 55 73 65 72 4E 61 6D 65 }       $s6 = { 67 65 74 5F 4F 53 56 65 72 73 69 6F 6E }       $s7 = { 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61 62 6C 65 73 }       $s8 = { 53 79 73 74 65 6D 2E 57 65 62 2E 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E }       $s9 = { 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E }       $s10 = { 67 65 74 5F 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 }       $s11 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 }       $s12 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E }       $s13 = { 67 65 74 5F 43 6F 6D 70 61 74 69 62 69 6C 69 74 79 4D 6F 64 65 }   condition:       all of them} 

SIGMA Rule
## CISA Code & Media Analysis ##                            ############ README ############### ## Edit rules and queries as needed for your hunt and based on your environment. ## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query. ## Do not edit “logsource-product:” unless you are editing this rule to meet specific logsources/fields and know your environment. ## TLP GREEN + Please use local installation of Sigma to convert this rule. ## TLP CLEAR may convert rules using online converter of choice.                            ################################### title: Detects CVE-2025-53770 CVE-2025-53771 Updated IOCs and Activity incident: 251133.r2 tlp: CLEAR id: 32bba1a1-3900-4cf9-b379-3e71a63998a3 status: test description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Detects updated IOCs and Activity. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. TA – Linen Typhoon, Violet Typhoon, Storm-2603. references:    – https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/?msockid=3e14885e8c2b643323129d998d366597    – https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/    – https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/    – https://github.com/kaizensecurity/CVE-2025-53770/blob/master/payload    – https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint    – https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html author: CISA Code & Media Analysis date: 2025-07-23 modified: 2025-07-23 tags:    – cve.2025.49704    – cve.2025.49706    – cve.2025.53770    – cve.2025.53771 logsource:    product: cma detection:    keywords:        – ’92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514′        – ‘4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030’        – ‘b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70’        – ‘fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7’        – ‘390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e’        – ’66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082′        – ‘7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95’        – ‘8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2’        – ‘30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27’        – ‘b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93’        – ‘107.191.58.76’        – ‘104.238.159.149’        – ‘96.9.125.147’        – ‘103.186.30.186’        – ‘45.77.155.170’        – ‘139.144.199.41’        – ‘172.174.82.132’        – ‘89.46.223.88’          – ‘45.77.155.170’            – ‘154.223.19.106’          – ‘185.197.248.131’          – ‘149.40.50.15’        – ‘64.176.50.109’            – ‘149.28.124.70’          – ‘206.166.251.228’          – ‘95.179.158.42’        – ‘86.48.9.38’        – ‘128.199.240.182’          – ‘212.125.27.102’        – ‘91.132.95.60’        – ‘134.199.202.205’        – ‘131.226.2.6’        – ‘188.130.206.168’        – ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0’        – ‘Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0’        – ‘c34718cbb4c6.ngrok-free.app/file.ps1’    keywords_1:        – ‘*TEMPLATELAYOUTS*’    keywords_2:        – ‘spinstall*’        – ‘debug*’        – ‘info*’    keywords_3:        – ‘*.aspx’        – ‘*.js’    keywords_4:        – ‘POST’        – ‘GET’        – ‘curl’    keywords_5:        – ‘*/_layouts/*’        – ‘*/layouts/*’        – ‘*layouts*’    keywords_6:        – ‘*ToolPane.aspx’        – ‘*DisplayMode’        – ‘*SignOut.aspx’        – ‘*spinstall*’        – ‘VIEWSTATE’    keywords_7:        – ‘cmd.exe’    keywords_8:        – ‘powershell.exe’    keywords_9:        – ‘-EncodedCommand’        – ‘-ec’        – ‘-enc’        – ‘VIEWSTATE’        – ‘yoserial*’    keywords_10:        – ‘*TEMPLATELAYOUTS*’    keywords_11:        – ‘ChildItem’    keywords_12:        – ‘targetFile’    keywords_13:        – ‘NewLine’    keywords_14:        – ‘*web.config*’    keywords_15:        – ‘Ry2cuVmFsaWRhd’        – ‘Validation’    keywords_16:        – ‘ifCIRy2cuQ29tc’        – ‘Decryption’    keywords_17:        – ‘dGlvb’        – ‘Key’    keywords_18:        – ‘UZtleVNlY3Rpb2’        – ‘MachineKey’    keywords_19:        – ‘ShudWxsLC’        – ‘Invoke’    keywords_20:        – ‘XIiIGxhbmd1Y’        – ‘language’    keywords_21:        – ‘qZWN0WzBdKTsNC’        – ‘new object’    keywords_22:        – ‘POST’        – ‘powershell*’        – ‘*layouts*’    keywords_23:        – ‘ToolPane.aspx’        – ‘*spinstall*’    condition: keywords or keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 and keywords_9 or keywords_10 and keywords_11 and keywords_12 and keywords_13 and keywords_14 or keywords_15 and keywords_16 and keywords_17 and keywords_18 and keywords_19 and keywords_20 and keywords_21 or keywords_22 and keywords_23 falsepositives:    – Rate of FP low-moderate with some strings.    – Use this rule in an infected environment/logs.    – Analyst may need to make adjustments to the query as required. level: critical
ssdeep Matches
No matches found.
PE Metadata

Compile Date
2025-07-22 08:33:22+00:00

Import Hash
dae02f32a21e03ce65412f6e56942daa

File Description
 

Internal Name
osvmhdfl.dll

Legal Copyright
 

Original Filename
osvmhdfl.dll

Product Version
0.0.0.0

PE Sections

MD5
Name
Raw Size
Entropy

2a11da5809d47c180a7aa559605259b5
header
512
2.545281

531ff1038e010be3c55de9cf1f212b56
.text
4608
4.532967

ef6793ef1a2f938cddc65b439e44ea07
.rsrc
1024
2.170401

403090c0870bb56c921d82a159dca5a3
.reloc
512
0.057257

Packers/Compilers/Cryptors

Microsoft Visual C# / Basic .NET

Description
This artifact is a 32-bit .NET DLL that contains a class named “E” (Figure 3) used to retrieve system and environment information, along with the machine key configuration settings (Figure 3). This class file is designed to iterate through and collect environment variables as well as retrieve and format .NET and system properties below: –Begin System Properties– Number of logical drives Drive letters Computer name Full path of the system directory Current directory Processor count System uptime (milliseconds since start) Username Operating system version .NET version –End System Properties– The file uses reflection to access the “MachineKeySection” from the “System.Web” assembly, which contains cryptographic keys used for validation and decryption in ASP[.]NET. The file uses reflection to invoke the “GetApplicationConfig” method of the “MachineKeySection” class to retrieve the “machineKey” configuration, which holds the actual key values. The file constructs a string containing the “ValidationKey”, “Validation”, “DecryptionKey”, “Decryption”, and “CompatibilityMode” properties of the “machineKeySection”. The gathered information and the “MachineKeySection” details are formatted into a string before written to the HTTP response (current.Response object).
Screenshots

Figure 3 – Screenshot of the decompiled .NET assembly that contains a class named “E” used to retrieve and display system and environment information, along with the machine key configuration settings.

92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
Tags
webshell
Details

Name
spinstall0.aspx

Size
756 bytes

Type
HTML document, ASCII text, with CRLF line terminators

MD5
02b4571470d83163d103112f07f1c434

SHA1
f5b60a8ead96703080e73a1f79c3e70ff44df271

SHA256
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

SHA512
2e6799393458d42acd4586c9792c24edf10b5e4aa761419758fec8da6670197c0e7c21e46dab224673818146ea4811446b4fbeaeed581e98f2add0980eb9d47d

ssdeep
12:iWVx8OaBngupDLI4MKisEKFhbCT5a05MQ+SuEKd2Eswl1HwAbPYMv:5VxWBnrE4JtbCT5f5exB1tbPYMv

Entropy
5.313146

Antivirus
No matches found.
YARA Rules

rule CISA_251132_03 : steals_authentication_credentials exfiltrates_data{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250724_721”       actor = “n/a”       family = “n/a”       capabilities = “steals-authentication-credentials exfiltrates-data”       malware_type = “unknown”       tool_type = “unknown”       description = “Detects aspx payload samples”       sha256_1 = “92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514”   strings:       $s0 = { 4C 6F 61 64 28 22 53 79 73 74 65 6D 2E 57 65 62 }       $s1 = { 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E 2E 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E }       $s2 = { 52 65 73 70 6F 6E 73 65 2E 57 72 69 74 65 }       $s3 = { 63 67 2E 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 2B 22 7C 22 }       $s4 = { 2B 63 67 2E 56 61 6C 69 64 61 74 69 6F 6E 2B }       $s5 = { 2B 63 67 2E 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 2B }       $s6 = { 2B 63 67 2E 44 65 63 72 79 70 74 69 6F 6E 2B }       $s7 = { 2B 63 67 2E 43 6F 6D 70 61 74 69 62 69 6C 69 74 79 4D 6F 64 65 }   condition:       all of them} 

SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Description
This artifact is a malicious ASPX file used to retrieve and output machine key information from the “MachineKeySection” of the System[.]Web[.]Configuration namespace (Figure 4). This file uses reflection to dynamically load the “System.Web” assembly and access the “MachineKeySection” class within “System.Web.Configuration”. The file invokes “GetApplicationConfig” to retrieve the “MachineKeySection” object and writes its properties including, ValidationKey, Validation, DecryptionKey, Decryption, and CompatibilityMode to the HTTP response using the “Response.Write()” method.
Screenshots

Figure 4 – Screenshot of the contents of the ASPX file used to extract configuration information from the machine key section of a web application’s Web.config file.

9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7
Tags
dropper
Details

Name
info3.aspx

Size
5026 bytes

Type
ASCII text, with very long lines, with no line terminators

MD5
1f5c8df6bd296ebf68acda951a004a5b

SHA1
d80722b335806cb74ee27af385abc6c9b018e133

SHA256
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7

SHA512
54a82a9d9747f872f21f20ac4acea25218ed38a61fd9c611fb858f3f0c2941d4bf7ed35bf93fc0432aa3ac5a891277754a4a9468ae03cf31ca11281a589bc224

ssdeep
96:orFTPkPoXHIBvUr7F13mw3UhoQgW0970Eq90WtPKLiOKMT:orVPkPRBvaJ13r3eA709JPKGOKMT

Entropy
5.515141

Antivirus
No matches found.
YARA Rules

rule CISA_251132_04 : dropper installs_other_components{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250724_721”       actor = “n/a”       family = “n/a”       capabilities = “installs-other-components”       malware_type = “dropper”       tool_type = “unknown”       description = “Detects Base64 encoded PowerShell dropper samples”       sha256_1 = “9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7”   strings:       $s0 = { 63 6D 64 2E 65 78 65 5C 22 20 2F 63 20 70 6F 77 65 72 73 68 65 6C 6C 20 2D 43 6F 6D 6D 61 6E 64 }       $s1 = { 46 72 6F 6D 42 61 73 65 36 34 53 74 72 69 6E 67 }       $s2 = { 4F 75 74 2D 46 69 6C 65 20 2D 46 69 6C 65 50 61 74 68 }       $s3 = { 69 6E 66 6F 33 2E 61 73 70 78 }       $s4 = { 2D 45 6E 63 6F 64 69 6E 67 20 55 54 46 38 }   condition:       all of them} 

SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Relationships

9340bf7378…
Contains
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc

Description
This artifact contains command-line instruction used to execute a PowerShell command (Figure 5). The PowerShell command decodes a Base64 encoded string into a Unicode Transformation Format-8 (UTF-8) string. The decoded content is then written to a file named “info3.aspx” (675a10e87c24….) located at c:progra~1\common~1micros~1webser~1l16templatelayouts. The output file is encoded using UTF8.
Screenshots

Figure 5 – Screenshot of the contents of the file containing command-line instruction used to execute a PowerShell command.

675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc
Tags
webshell
Details

Name
info3.aspx

Size
3582 bytes

Type
HTML document, ASCII text

MD5
7e09e837805c55dc5643cc21a87ff2a8

SHA1
27f154765054fbe0f5c234cd2c7829b847005d2a

SHA256
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc

SHA512
83aa141fd090172fb9a22855c18f2aea8b37f663f0093edd675a7499186fe46b3f953edda9477ca8918cf2af82c8b723d07a6912a9d7aa62b26391d15a83c44d

ssdeep
48:H9zBW074shunsBjsm/ITETo1YWOW5uq+Z8QZ+ThJSCyiH12:HJBG2jsmI4lPeWiOo3SCyiV2

Entropy
4.789465

Antivirus
No matches found.
YARA Rules

rule CISA_251132_05 : webshell exfiltrates_data fingerprints_host{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250724_721”       actor = “n/a”       family = “n/a”       capabilities = “exfiltrates-data fingerprints-host”       malware_type = “webshell”       tool_type = “unknown”       description = “Detects aspx webshell samples”       sha256_1 = “675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc”   strings:       $s0 = { 43 75 72 72 65 6E 74 2E 52 65 71 75 65 73 74 2E 46 6F 72 6D }       $s1 = { 20 48 74 74 70 43 6F 6F 6B 69 65 20 6E 65 77 63 6F 6F 6B }       $s2 = { 6E 65 77 63 6F 6F 6B 2E 45 78 70 69 72 65 73 20 }       $s3 = { 52 65 73 70 6F 6E 73 65 2E 53 65 74 43 6F 6F 6B 69 65 28 6E 65 77 63 6F 6F 6B 29 }       $s4 = { 43 6F 6D 70 75 74 65 48 61 73 68 }       $s5 = { 44 26 46 72 69 32 6B 26 78 35 64 4D 49 53 54 6E 61 46 71 40 }       $s6 = { 2A 68 75 5E 4D 23 6C 23 4C 72 6C 4E 6F 39 21 37 4B 4C 66 }       $s7 = { 22 63 6D 22 20 2B 20 22 64 2E 65 22 20 2B 20 22 78 65 22 }       $s8 = { 57 72 69 74 65 4C 69 6E 65 28 22 65 78 69 74 22 29 }       $s9 = { 50 61 73 73 77 6F 72 64 }       $s10 = { 43 6F 6D 6D 61 6E 64 }       $s11 = { 55 70 6C 6F 61 64 }       $s12 = { 74 79 70 65 3D 22 66 69 6C 65 22 }       $s13 = { 74 79 70 65 3D 22 74 65 78 74 22 }          condition:       all of them} 

SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Relationships

675a10e87c…
Contained_Within
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7

Description
This artifact is a malicious ASP[.]NET web page (.aspx) that contains ASP[.]NET code embedded within an HTML structure. This file is a webshell installed by “info3.aspx” (9340bf73782….). The file handles various operations based on submitted form data or HTTP cookies. The file contains HTML code used to create forms. The forms allow the Threat Actor (TA) to enter a password and submit it using a “Login” button, enter a command into a text field, which can then be executed by clicking an “Execute” button, and upload files that includes two input fields: one for selecting a file (type=”file”) and another for text input (type=”text”) (Figure 7). The password form element is configured for POST method and the input field is named “nYOmkVTYH2”. If the HTML form with a password is received from the TA via an HTTP POST request, the file checks if the submission form field parameter named “nYOmkVTYH2” is not null or empty. If the parameter is present and not empty, the file sets an HTTP Cookie named “wY1DC6wH4u” with a value from the form field “nYOmkVTYH2” and sets the HTTP Cookie expiration date to four days from the current time. This cookie is then added to the response. The file verifies if the HTTP cookie exists in the current HTTP request. If the cookie exists, its value is concatenated with a long hard-coded string “D&Fri2k&x5dMISTnaFq@ssyKk@rEM!98KzSKWpL4Nc8NvaA9AKdJVOtfdJ45FvbyYHxTql6kkc%qOZevc*hu^M#l#LrlNo9!7KLf”. This combined string is then hashed using SHA512. The computed hash is converted to a Base64 string and compared against a predefined Base64 encoded string “9gYs0W/reXzR+KO6J/zP6naMU9AQwZCwhmXuPyGeY2VwMkxNGBZaJQAxGS6GvQZJLSAPk8LT0PgJVU1kQQJd2zW9w==” (Figure 6). This process determines whether a user or request is authorized. The command form element is configured for POST method and the input field is named “GTaRkhJ9wz”. If the HTML form with a command is received from the TA via an HTTP POST request, the file checks if the submission form field parameter named “GTaRkhJ9wz” is not null or empty. If the parameter is present and not empty, the file creates a new process to execute a command-line utility “cmd.exe”. The file redirects standard input, output, and error streams to capture the results of the executed command. The code writes the value of the “GTaRkhJ9wz” form parameter to the process’s standard input, executing the value as a command, and then writes “exit” to terminate the process (Figure 6). The file upload form element is configured for POST method and “enctype”=”multipart/form-data” to handle file uploads. It includes an input type=”file” for selecting a file (input field named “0z3H8H8ato”) and an input type=”text” for providing a destination path or filename ( input field named “7KAjlfecWF”). If the HTML form for file upload is received from the TA, the file checks if the submission form field parameter named “7KAjlfecWF” (intended to be the file path or name) is not null or empty. The file retrieves the uploaded file through the “0z3H8H8atO” input using “HttpContext.Current[.]Request[.]Files[“Oz3H8H8ato”]”. If the file exists and has content (content length is greater than zero), the file saves the uploaded file using the path provided in the “7KAjlfecWF” field. Upon successful upload, the “InnerText” of an element named “Result” is set to “uploaded”, indicating the file has been saved. If an error occurs during the process, the file captures the exception and displays its details in “Result.InnerText” (Figure 6). The file displays server-side generated output or messages to the TA.
Screenshots

Figure 6 – Screenshot of the code snippet designed for handling various web-related operations, including setting and retrieving HTTP cookies, calculating a SHA512 hash of a request form value, starting an external cmd process and capturing its output, handling uploaded files from a request.

Figure 7 – Screenshot of the form that allows the TA to enter a password and submit it using a “Login” button, to enter a command, which can then be executed by clicking an “Execute” button, and a field for uploading files, featuring a file input (type=”file”) and a text input, both submitted using an “Upload” button.

d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00
Tags
webshell
Details

Name
spinstallb.aspx

Size
676 bytes

Type
HTML document, ASCII text, with very long lines, with no line terminators

MD5
7d2f36f4cb82c75b83c210e655649b5d

SHA1
37d1d1913d758f7d71020c08d4a7dae3efe83b68

SHA256
d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00

SHA512
c52ab55753ae7fcfca46e869b805f3aa2d19c45e7526a61f79b20b8cd38eccc09f1b7a06acbd8d77e936f68fea9ee3bba7b7c42d6f93cf0c27a22cf7555d70d3

ssdeep
12:XrVcins8q/KF2C2DRbqtP6LoGM8AWLaWF1nM9OiDGiOVKeL84GYb:7Vds8q/KF2C2qPWHAW+WF9M9OiDm/b

Entropy
5.466082

Antivirus
No matches found.
YARA Rules

rule CISA_251132_06 : webshell fingerprints_host installs_other_components exfiltrates_data{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250725_712”       actor = “n/a”       family = “n/a”       capabilities = “fingerprints-host installs-other-components exfiltrates-data”       malware_type = “webshell”       tool_type = “unknown”       description = “Detects ASPX Webshell samples”       sha256_1 = “d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00”   strings:       $s0 = { 3D 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B 22 70 22 5D }       $s1 = { 46 72 6F 6D 42 61 73 65 36 34 53 74 72 69 6E 67 28 65 6E 63 29 }       $s2 = { 46 69 6C 65 4E 61 6D 65 3D 22 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 }       $s3 = { 2D 45 6E 63 6F 64 65 64 43 6F 6D 6D 61 6E 64 }       $s4 = { 2C 55 73 65 53 68 65 6C 6C 45 78 65 63 75 74 65 3D 66 61 6C 73 65 }       $s5 = { 76 61 72 20 70 6C 3D 6E 65 77 20 62 79 74 65 }       $s7 = { 36 38 39 30 31 61 33 39 34 61 37 36 64 63 35 30 36 34 66 62 61 39 36 62 38 36 }       $s8 = { 32 36 36 35 65 65 35 39 36 62 31 61 31 34 36 38 62 64 63 36 }       $s9 = { 31 38 31 35 37 64 37 63 63 61 30 31 33 30 39 30 32 65 }   condition:       all of them} 

SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Description
This artifact is a malicious ASPX file with a “Page_Load” event handler that constructs and executes a command using PowerShell on the server (Figure 8). Upon execution, the file takes a Base64-encoded string from a form parameter named “p”. The Base64 encoded string is decoded and Exclusively-OR (XOR) decrypted using a hard-coded XOR key “68901a394a76dc5064fba96b862665ee596b1a1468bdc618157d7cca0130902e”. The output of the XOR decrypted bytes are converted to a Unicode Transformation Format-8 (UTF-8) string and then Base64 encoded. The Base64 encoded string is passed as an argument to the PowerShell process “powershell.exe” using the “-EncodedCommand flag”. The file redirects the standard output of the PowerShell process and reads it into a variable “o”, which is then written back to the HTTP response.
Screenshots

Figure 8 – Screenshot of the contents of the ASPX file.

d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170
Tags
webshell
Details

Name
spinstallp.aspx

Size
706 bytes

Type
HTML document, ASCII text, with very long lines, with no line terminators

MD5
7768feda9d79ef6f87410c02e981f066

SHA1
1b8432fcda4c12b64cdf4918adf7880aecf054ec

SHA256
d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170

SHA512
c9ee5d32a59fad386570923df7950b562e1d4c000c7f4a20aebc214477f737815a401858a11d4e9139a80152afd5ddc8655ad804e71544e50f5a23cc9888eeba

ssdeep
12:XrVTO6LjxB5QnnsJz3kH+XWLaWF1n5OiD5RKF2UIdiOVKeLxnHdYT:7VTOYZWsJz3+WW+WF95OiDbKF2xP6T

Entropy
5.432916

Antivirus
No matches found.
YARA Rules

rule CISA_251132_07 : webshell fingerprints_host installs_other_components exfiltrates_data{   meta:       author = “CISA Code & Media Analysis”       incident = “251132”       date = “2025-07-21”       last_modified = “20250725_712”       actor = “n/a”       family = “n/a”       capabilities = “fingerprints-host installs-other-components exfiltrates-data”       malware_type = “webshell”       tool_type = “unknown”       description = “Detects ASPX Webshell samples”       sha256_1 = “d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170”   strings:       $s0 = { 61 38 35 39 66 30 32 30 38 37 37 37 34 36 32 38 39 39 64 66 36 37 62 33 64 38 31 61 37 62 38 62 }       $s1 = { 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 }       $s2 = { 41 72 67 75 6D 65 6E 74 73 3D 22 2D 65 6E 63 20 22 }       $s3 = { 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B 22 70 22 5D }       $s4 = { 55 73 65 53 68 65 6C 6C 45 78 65 63 75 74 65 3D 66 61 6C 73 65 }       $s5 = { 52 65 64 69 72 65 63 74 53 74 61 6E 64 61 72 64 4F 75 74 70 75 74 3D 74 72 75 65 }       $s6 = { 53 74 61 6E 64 61 72 64 4F 75 74 70 75 74 }       $s7 = { 52 65 73 70 6F 6E 73 65 2E 57 72 69 74 65 }       $s8 = { 47 65 74 42 79 74 65 73 28 6F 29 }   condition:       all of them} 

SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Description
This artifact is a malicious ASPX file with a “Page_Load” event handler that constructs and executes a command using PowerShell on the server (Figure 9). Upon execution, the file constructs a PowerShell command that decodes a Base64 string from the request form parameter “p”. The decoded string is decrypted using the XOR function with the hard-coded key “a859f0208777462899df67b3d81a7b8b”. The decrypted bytes (command) is executed using a PowerShell command. The standard output of the executed PowerShell command is converted to a UTF-8 string, then encrypted using the XOR function with the same hard-coded key. The encrypted bytes data is Base64 encoded before written to the HTTP response using “Response.Write”.
Screenshots

Figure 9 – Screenshot of the contents of the ASPX file.

Relationship Summary

60a37499f9…
Contains
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72

bee94b93c1…
Contained_Within
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7

9340bf7378…
Contains
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc

675a10e87c…
Contained_Within
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870
CISA Service Desk (UNCLASS)
CISA SIPR (SIPRNET)
CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via the methods below:

Web: https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis
For larger files (over 100MB), please reach out to CISA for instructions.

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov. 

Notification

Summary

Findings

Relationship Summary

Recommendations

Contact Information

Document FAQ

 Read More

​On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed. 

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

CROSS-SITE GRIFTING

Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

Astute readers may have noticed by now that the ages of Mr. Avdeev (45) and the XSS admin arrested this month (38) are quite a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

A FLY ON THE WALL

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who is now running the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

WHO IS TOHA?

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread that spans dozens of pages. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

GordonBellford continued:

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.

 

​Read More

 ​CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
• CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
• CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA released two Industrial Control Systems (ICS) advisories on August 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-217-01 Mitsubishi Electric Iconics Digital Solutions Multiple Products
ICSA-25-217-02 Tigo Energy Cloud Connect Advanced

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on August 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-217-01 Mitsubishi Electric Iconics Digital Solutions Multiple Products
• ICSA-25-217-02 Tigo Energy Cloud Connect Advanced

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Tigo Energy
Equipment: Cloud Connect Advanced
Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Cloud Connect Advanced are affected:

Cloud Connect Advanced: Versions 4.0.1 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Hard-coded Credentials CWE-798
Tigo Energy’s Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.
CVE-2025-7768 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7768. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) CWE-77
Tigo Energy’s CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
CVE-2025-7769 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7769. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-337
Tigo Energy’s CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.
CVE-2025-7770 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7770. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Anthony Rose and Jacob Krasnov of BC Security and Peter Kariuki of Ovanova reported these vulnerabilities to CISA.
4. MITIGATIONS
Tigo Energy is aware of these vulnerabilities and is actively working on a fix to address them.
Visit Tigo Energy’s Help Center for more specific security recommendations.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

August 5, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Tigo Energy
• Equipment: Cloud Connect Advanced
• Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Cloud Connect Advanced are affected:

• Cloud Connect Advanced: Versions 4.0.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Hard-coded Credentials CWE-798

Tigo Energy’s Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.

CVE-2025-7768 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7768. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) CWE-77

Tigo Energy’s CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.

CVE-2025-7769 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7769. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-337

Tigo Energy’s CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.

CVE-2025-7770 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7770. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Anthony Rose and Jacob Krasnov of BC Security and Peter Kariuki of Ovanova reported these vulnerabilities to CISA.

4. MITIGATIONS

Tigo Energy is aware of these vulnerabilities and is actively working on a fix to address them.

Visit Tigo Energy’s Help Center for more specific security recommendations.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
• CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 5, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 4.1
ATTENTION: Low attack complexity
Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric
Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64
Vulnerability: Windows Shortcut Following (.LNK)

2. RISK EVALUATION
Successful exploitation of this vulnerability could result in information tampering.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected:

GENESIS64: All versions
GENESIS: Version 11.00
Mitsubishi Electric MC Works64: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 Windows Shortcut Following (.LNK) CWE-64
An information tampering vulnerability due to Windows Shortcut Following exists in multiple processes in GENESIS64, MC Works64, and GENESIS. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. By creating a symbolic link, an attacker can cause the processes to make unauthorized writes to arbitrary files on the file system in any location that is accessible to the user under which the elevated processes are running, resulting in a denial-of-service (DoS) condition on the PC if the modified file is necessary for the operation of the PC.
CVE-2025-7376 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-7376. A base score of 4.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Iconics Digital Solutions recommends users upgrade to GENESIS Version 11.01, which contains a fix for this vulnerability. For the highest level of security, it is recommended that users upgrade their system to the latest version and keep it up-to-date with the latest releases. Consult Mitsubishi Electric Iconics Digital Solutions Support for upgrade assistance.
Users who remain on affected versions should be aware of this information tampering vulnerability and take any necessary precautions to keep the system safe from potential attackers such as:

Configure the PCs with the affected product installed so that only an administrator can log in.
PCs with the affected product installed should be configured to block remote logins from untrusted networks and hosts, and from non-administrator users.
Block unauthorized access by using a firewall or virtual private network (VPN), etc., and allow remote login only to administrators when connecting the PCs with the affected product installed to the Internet.
Restrict physical access to the PC with the affected product installed and the network to which the PC is connected to prevent unauthorized physical access.
Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).
For more information, see Mitsubishi Electric’s security advisory.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

August 5, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.1
• ATTENTION: Low attack complexity
• Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric
• Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64
• Vulnerability: Windows Shortcut Following (.LNK)

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in information tampering.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected:

• GENESIS64: All versions
• GENESIS: Version 11.00
• Mitsubishi Electric MC Works64: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Windows Shortcut Following (.LNK) CWE-64

An information tampering vulnerability due to Windows Shortcut Following exists in multiple processes in GENESIS64, MC Works64, and GENESIS. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. By creating a symbolic link, an attacker can cause the processes to make unauthorized writes to arbitrary files on the file system in any location that is accessible to the user under which the elevated processes are running, resulting in a denial-of-service (DoS) condition on the PC if the modified file is necessary for the operation of the PC.

CVE-2025-7376 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-7376. A base score of 4.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Iconics Digital Solutions recommends users upgrade to GENESIS Version 11.01, which contains a fix for this vulnerability. For the highest level of security, it is recommended that users upgrade their system to the latest version and keep it up-to-date with the latest releases. Consult Mitsubishi Electric Iconics Digital Solutions Support for upgrade assistance.

Users who remain on affected versions should be aware of this information tampering vulnerability and take any necessary precautions to keep the system safe from potential attackers such as:

• Configure the PCs with the affected product installed so that only an administrator can log in.
• PCs with the affected product installed should be configured to block remote logins from untrusted networks and hosts, and from non-administrator users.
• Block unauthorized access by using a firewall or virtual private network (VPN), etc., and allow remote login only to administrators when connecting the PCs with the affected product installed to the Internet.
• Restrict physical access to the PC with the affected product installed and the network to which the PC is connected to prevent unauthorized physical access.
• Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).

For more information, see Mitsubishi Electric’s security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• August 5, 2025: Initial Publication

 Read More

 ​CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. This follows a proactive threat hunt engagement conducted at a U.S. critical infrastructure facility.
During this engagement, CISA and USCG did not find evidence of malicious cyber activity or actor presence on the organization’s network but did identify several cybersecurity risks. CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging.
For more detailed mitigations addressing the identified cybersecurity risks, review joint Cybersecurity Advisory: CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization.  

CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. This follows a proactive threat hunt engagement conducted at a U.S. critical infrastructure facility.

During this engagement, CISA and USCG did not find evidence of malicious cyber activity or actor presence on the organization’s network but did identify several cybersecurity risks. CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging.

For more detailed mitigations addressing the identified cybersecurity risks, review joint Cybersecurity Advisory: CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization. 

 Read More

 ​CISA released two Industrial Control Systems (ICS) advisories on July 31, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-212-01 Güralp FMUS Series Seismic Monitoring Devices
ICSA-25-212-02 Rockwell Automation Lifecycle Services with VMware

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on July 31, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-212-01 Güralp FMUS Series Seismic Monitoring Devices
• ICSA-25-212-02 Rockwell Automation Lifecycle Services with VMware

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More