{"id":10447,"date":"2025-07-23T12:33:25","date_gmt":"2025-07-23T05:33:25","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10447"},"modified":"2026-02-05T12:33:33","modified_gmt":"2026-02-05T05:33:33","slug":"tan-cong-sharepoint-quy-mo-lon-lo-dien-chuoi-loi-cho-phep-rce-va-bypass-xac-thuc","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/23\/tan-cong-sharepoint-quy-mo-lon-lo-dien-chuoi-loi-cho-phep-rce-va-bypass-xac-thuc\/","title":{"rendered":"T\u1ea5n c\u00f4ng SharePoint quy m\u00f4 l\u1edbn: L\u1ed9 di\u1ec7n chu\u1ed7i l\u1ed7i cho ph\u00e9p RCE v\u00e0 bypass x\u00e1c th\u1ef1c"},"content":{"rendered":"

Microsoft v\u1eeba ph\u00e1t c\u1ea3nh b\u00e1o b\u1ea3o m\u1eadt kh\u1ea9n c\u1ea5p sau khi ph\u00e1t hi\u1ec7n chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng c\u00f3 ch\u1ee7 \u0111\u00edch nh\u1eafm v\u00e0o h\u1ec7 th\u1ed1ng SharePoint Server on-premises, b\u1eaft \u0111\u1ea7u t\u1eeb ng\u00e0y 7\/7\/2025. Ba nh\u00f3m tin t\u1eb7c Trung Qu\u1ed1c g\u1ed3m Linen Typhoon, Violet Typhoon v\u00e0 Storm-2603 b\u1ecb x\u00e1c \u0111\u1ecbnh \u0111\u1ee9ng sau ho\u1ea1t \u0111\u1ed9ng khai th\u00e1c. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eadn d\u1ee5ng chu\u1ed7i l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng cho ph\u00e9p v\u01b0\u1ee3t qua x\u00e1c th\u1ef1c, th\u1ef1c thi m\u00e3 t\u1eeb xa v\u00e0 chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9.<\/b><\/p>\n

\n
\"SharePoint.png\"<\/div>\n<\/div>\n

\u0110\u1eb7c bi\u1ec7t, ng\u00e0y 18\/7\/2025, m\u1ed9t trong nh\u1eefng n\u1ea1n nh\u00e2n b\u1ecb x\u00e2m nh\u1eadp \u0111\u01b0\u1ee3c x\u00e1c nh\u1eadn l\u00e0 C\u01a1 quan An ninh H\u1ea1t nh\u00e2n Qu\u1ed1c gia (NNSA), thu\u1ed9c B\u1ed9 N\u0103ng l\u01b0\u1ee3ng Hoa K\u1ef3. D\u00f9 ch\u1ec9 m\u1ed9t s\u1ed1 h\u1ec7 th\u1ed1ng b\u1ecb \u1ea3nh h\u01b0\u1edfng v\u00e0 ch\u01b0a ph\u00e1t hi\u1ec7n r\u00f2 r\u1ec9 d\u1eef li\u1ec7u m\u1eadt, v\u1ee5 vi\u1ec7c cho th\u1ea5y quy m\u00f4 v\u00e0 m\u1ee9c \u0111\u1ed9 tinh vi c\u1ee7a l\u00e0n s\u00f3ng t\u1ea5n c\u00f4ng. Microsoft 365 v\u00e0 c\u00e1c h\u1ec7 th\u1ed1ng ph\u00f2ng th\u1ee7 m\u1ea1ng ti\u00ean ti\u1ebfn \u0111\u00e3 gi\u00fap h\u1ea1n ch\u1ebf thi\u1ec7t h\u1ea1i, song th\u00f4ng tin n\u00e0y \u0111\u00e3 khi\u1ebfn c\u1ed9ng \u0111\u1ed3ng an ninh m\u1ea1ng M\u1ef9 \u0111\u1eb7c bi\u1ec7t c\u1ea3nh gi\u00e1c.<\/p>\n

B\u1ed1n l\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c khai th\u00e1c trong \u0111\u1ee3t t\u1ea5n c\u00f4ng g\u1ed3m:<\/p>\n

    \n
  • CVE-2025-49706 (spoofing): cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng gi\u1ea3 m\u1ea1o danh t\u00ednh ng\u01b0\u1eddi d\u00f9ng h\u1ee3p ph\u00e1p trong qu\u00e1 tr\u00ecnh x\u00e1c th\u1ef1c<\/li>\n
  • CVE-2025-49704 (remote code execution): cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa tr\u00ean m\u00e1y ch\u1ee7 SharePoint m\u1ee5c ti\u00eau<\/li>\n
  • CVE-2025-53770 (ToolShell Auth Bypass v\u00e0 RCE): cho ph\u00e9p truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o m\u00f4i tr\u01b0\u1eddng d\u00f2ng l\u1ec7nh ToolShell v\u00e0 th\u1ef1c thi m\u00e3 \u0111\u1ed9c m\u00e0 kh\u00f4ng c\u1ea7n x\u00e1c th\u1ef1c<\/li>\n
  • CVE-2025-53771 (ToolShell Path Traversal): cho ph\u00e9p truy c\u1eadp v\u00e0 ch\u1ec9nh s\u1eeda c\u00e1c t\u1eadp tin nh\u1ea1y c\u1ea3m tr\u00ean h\u1ec7 th\u1ed1ng b\u1eb1ng c\u00e1ch v\u01b0\u1ee3t qua gi\u1edbi h\u1ea1n th\u01b0 m\u1ee5c th\u00f4ng th\u01b0\u1eddng<\/li>\n<\/ul>\n

    Nh\u1eefng l\u1ed7 h\u1ed5ng n\u00e0y \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c phi\u00ean b\u1ea3n SharePoint Server 2016, 2019 v\u00e0 Subscription Edition c\u00e0i \u0111\u1eb7t t\u1ea1i ch\u1ed7. SharePoint Online kh\u00f4ng b\u1ecb \u1ea3nh h\u01b0\u1edfng.<\/p>\n

    Microsoft ghi nh\u1eadn k\u1ebb t\u1ea5n c\u00f4ng g\u1eedi c\u00e1c y\u00eau c\u1ea7u POST t\u1edbi endpoint ToolPane \u0111\u1ec3 trinh s\u00e1t, sau \u0111\u00f3 t\u1ea3i l\u00ean web shell \u0111\u1ed9c h\u1ea1i nh\u01b0 spinstall.aspx, spinstall0.aspx, spinstall1.aspx v\u00e0 spinstall2.aspx. C\u00e1c shell n\u00e0y ch\u1ee9a l\u1ec7nh thu th\u1eadp d\u1eef li\u1ec7u MachineKey th\u00f4ng qua GET, cho ph\u00e9p \u0111\u00e1nh c\u1eafp th\u00f4ng tin x\u00e1c th\u1ef1c ASP.NET nh\u1eb1m m\u1edf r\u1ed9ng ph\u1ea1m vi ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng.<\/p>\n

    Trong s\u1ed1 c\u00e1c l\u1ed7 h\u1ed5ng, CVE-2025-53771 thu\u1ed9c lo\u1ea1i x\u00e1c th\u1ef1c sai (CWE-287) cho ph\u00e9p c\u00e1c t\u00e0i kho\u1ea3n \u0111\u00e3 x\u00e1c th\u1ef1c th\u1ef1c hi\u1ec7n spoofing trong m\u00f4i tr\u01b0\u1eddng m\u1ea1ng n\u1ed9i b\u1ed9. \u0110\u00e1ng ch\u00fa \u00fd, l\u1ed7 h\u1ed5ng n\u00e0y c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi CVE-2025-49704 \u0111\u1ec3 t\u1ea1o th\u00e0nh chu\u1ed7i t\u1ea5n c\u00f4ng ph\u1ee9c t\u1ea1p, t\u1eeb \u0111\u00f3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng \u1edf m\u1ee9c s\u00e2u h\u01a1n v\u00e0 duy tr\u00ec truy c\u1eadp l\u00e2u d\u00e0i. B\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng khi c\u00e1c l\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c k\u1ebft h\u1ee3p ng\u00e0y c\u00e0ng ph\u1ee9c t\u1ea1p v\u00e0 kh\u00f3 ph\u00e1t hi\u1ec7n, t\u1ea1o r\u1ee7i ro nghi\u00eam tr\u1ecdng cho c\u00e1c t\u1ed5 ch\u1ee9c doanh nghi\u1ec7p.<\/p>\n

    Tr\u01b0\u1edbc m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng v\u00e0 kh\u1ea3 n\u0103ng lan r\u1ed9ng c\u1ee7a chu\u1ed7i t\u1ea5n c\u00f4ng, Microsoft \u0111\u00e3 nhanh ch\u00f3ng ph\u00e1t h\u00e0nh c\u00e1c b\u1ea3n v\u00e1 b\u1ea3o m\u1eadt t\u01b0\u01a1ng \u1ee9ng nh\u1eb1m ng\u0103n ch\u1eb7n nguy c\u01a1 b\u1ecb khai th\u00e1c trong th\u1ef1c t\u1ebf:<\/p>\n