{"id":148484,"date":"2025-07-31T10:21:43","date_gmt":"2025-07-31T17:21:43","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=148484"},"modified":"2025-08-04T08:17:20","modified_gmt":"2025-08-04T15:17:20","slug":"microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/","title":{"rendered":"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09"},"content":{"rendered":"<h2><a id=\"post-148484-_heading=h.odsx3n167s55\"><\/a>\u57f7\u884c\u6458\u8981<\/h2>\n<h3><b>2025\u5e747\u670831\u65e5\u66f4\u65b0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">\u5c0d <\/span><b>ToolShell<\/b><span style=\"font-weight: 400;\"> \u6f0f\u6d1e\u5229\u7528\u7684\u8abf\u67e5\u63ed\u9732\u4e86 <\/span><b>4L4MD4R<\/b><span style=\"font-weight: 400;\"> \u52d2\u7d22\u8edf\u9ad4\u7684\u90e8\u7f72\uff0c\u8a72\u8edf\u9ad4\u662f\u958b\u6e90 <\/span><b>Mauri870<\/b><span style=\"font-weight: 400;\"> \u52d2\u7d22\u8edf\u9ad4\u7684\u4e00\u500b\u8b8a\u7a2e\u3002<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u57282025\u5e747\u670827\u65e5\u4e00\u6b21\u5931\u6557\u7684\u6f0f\u6d1e\u5229\u7528\u5617\u8a66\u4e2d\uff0c\u56e0\u6d89\u53ca\u4e00\u689d\u7d93\u904e\u7de8\u78bc\u7684 PowerShell \u6307\u4ee4\uff0c\u6211\u5011\u9032\u800c\u767c\u73fe\u4e00\u500b\u8f09\u5165\u5668\u3002\u8a72\u8f09\u5165\u5668\u88ab\u8a2d\u8a08\u7528\u4f86\u5f9e <\/span><span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-weight: 400;\">hxxps:\/\/ice.theinnovationfactory[.]it\/static\/4l4md4r.exe<\/span><span style=\"font-weight: 400;\"> (IP\u4f4d\u5740 <\/span><span style=\"font-weight: 400;\">145.239.97[.]206<\/span><\/span><span style=\"font-weight: 400;\">) \u4e0b\u8f09\u4e26\u57f7\u884c\u6b64\u52d2\u7d22\u8edf\u9ad4\u3002<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u8a72 PowerShell \u6307\u4ee4\u8a66\u5716<\/span><b>\u505c\u7528\u5373\u6642\u76e3\u63a7<\/b><span style=\"font-weight: 400;\">\u4e26<\/span><b>\u7e5e\u904e\u6191\u8b49\u9a57\u8b49<\/b><span style=\"font-weight: 400;\">\u3002\u8a73\u7d30\u8cc7\u8a0a\u8acb\u898b\u300c\u653b\u64ca\u7bc4\u570d\u300d\u7ae0\u7bc0. <\/span><\/p>\n<h3><a id=\"post-148484-_heading=h.hwzvyfno602t\"><\/a><strong>2025 \u5e74 7 \u6708 29 \u65e5\u66f4\u65b0<\/strong><\/h3>\n<p>Unit 42 \u7684\u9059\u6e2c\u8cc7\u6599\u6355\u7372\u5230\uff0c\u5f9e 2025 \u5e74 7 \u6708 17 \u65e5\u4e16\u754c\u5354\u8abf\u6642\u9593 (UTC) 08:40 \u81f3 2025 \u5e74 7 \u6708 22 \u65e5\uff0c\u51fa\u73fe\u4e86\u91dd\u5c0d CVE-2025-53770 \u7684\u6f0f\u6d1e\u5229\u7528\u4f01\u5716\u3002\u9019\u4e9b\u653b\u64ca\u6e90\u81ea\u65bc\u88ab\u8ffd\u8e64\u70ba CL-CRI-1040 \u7684\u5a01\u8105\u6d3b\u52d5\u3002<\/p>\n<p>\u6211\u5011\u89c0\u5bdf\u5230\uff0cCL-CRI-1040 \u6240\u4f7f\u7528\u7684 IP \u4f4d\u5740\u81ea 2025 \u5e74 7 \u6708 17 \u65e5\u4e16\u754c\u5354\u8abf\u6642\u9593 (UTC) 06:58 \u958b\u59cb\uff0c\u4fbf\u5c0d SharePoint \u4f3a\u670d\u5668\u9032\u884c\u653b\u64ca\u524d\u7684\u5f31\u9ede\u6e2c\u8a66\u3002\u5f9e\u5176\u6f0f\u6d1e\u5229\u7528\u7684\u6a21\u5f0f\u986f\u793a\uff0c\u653b\u64ca\u8005\u4f7f\u7528\u4e86\u4e00\u4efd\u975c\u614b\u7684 SharePoint \u4f3a\u670d\u5668\u76ee\u6a19\u6e05\u55ae\u3002<\/p>\n<p>\u5728 CL-CRI-1040 \u6d3b\u52d5\u4e2d\uff0c\u5176\u4e2d\u4e00\u500b\u7528\u65bc\u5229\u7528 CVE-2025-53770 \u7684 IP \u4f4d\u5740\uff0c\u8207\u5fae\u8edf\uff08<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a>\uff09\u6240\u63d0\u53ca\u7684 Storm-2603 \u5a01\u8105\u7fa4\u7d44\u6709\u6240\u91cd\u758a\u3002\u6211\u5011\u76ee\u524d\u6b63\u5728\u5c0d\u6b64\u4e00\u7fa4\u7d44\u9032\u884c\u7814\u7a76\uff0c\u4ee5\u6df1\u5165\u4e86\u89e3\u5176\u5e55\u5f8c\u7684\u653b\u64ca\u8005\u3002<\/p>\n<p>Unit 42 \u6b63\u5728\u8ffd\u8e64\u4e00\u9805\u91dd\u5c0d\u81ea\u884c\u8a17\u7ba1 Microsoft SharePoint \u4f3a\u670d\u5668\u7684\u91cd\u5927\u6301\u7e8c\u6027\u5a01\u8105\u6d3b\u52d5\u3002\u96d6\u7136 SaaS \u74b0\u5883\u4ecd\u672a\u53d7\u5230\u5f71\u97ff\uff0c\u4f46\u81ea\u6211\u8a17\u7ba1\u7684 SharePoint \u90e8\u7f72\uff0c\u7279\u5225\u662f\u653f\u5e9c\u3001\u5b78\u6821\u3001\u91ab\u7642\u4fdd\u5065\uff08\u5305\u62ec\u91ab\u9662\uff09\u548c\u5927\u578b\u4f01\u696d\uff0c\u6b63\u9762\u81e8\u7acb\u5373\u7684\u98a8\u96aa\u3002<\/p>\n<p>\u7531\u65bc\u591a\u500b\u6f0f\u6d1e\uff08\u7d71\u7a31\u70ba\u300cToolShell\u300d\uff0c\u7de8\u865f\u70ba (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49704\" target=\"_blank\" rel=\"noopener\">CVE-2025-49704<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49706\" target=\"_blank\" rel=\"noopener\">CVE-2025-49706<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770, <\/a><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53771\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a>\uff09\uff0c\u672c\u5730\u90e8\u7f72\u7684 Microsoft SharePoint \u4f3a\u670d\u5668\u76ee\u524d\u6b63\u906d\u53d7\u5ee3\u6cdb\u4e14\u6d3b\u8e8d\u7684\u60e1\u610f\u5229\u7528\u3002\u9019\u4e9b\u6f0f\u6d1e\u4f7f\u653b\u64ca\u8005\u7121\u9700\u4efb\u4f55\u6191\u8b49\u5373\u53ef\u5be6\u73fe\u5b8c\u6574\u7684\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c (RCE)\u3002\u53d7\u640d\u7684 SharePoint \u4f3a\u670d\u5668\u5c0d\u7d44\u7e54\u69cb\u6210\u91cd\u5927\u98a8\u96aa\uff0c\u56e0\u70ba\u5b83\u53ef\u80fd\u6210\u70ba\u901a\u5f80\u5176\u4ed6\u6574\u5408\u5f0f\u5fae\u8edf\u670d\u52d9\u7684\u9598\u9053\u3002<\/p>\n<p>\u9664\u4e86 CVE \u5831\u544a\u4e4b\u5916\uff0cMicrosoft \u9084\u767c\u4f48\u4e86\u6709\u95dc\u9019\u4e9b\u5f31\u9ede\u7684<a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">\u9032\u4e00\u6b65\u5efa\u8b70<\/a>\u3002\u5f31\u9ede\u53ca\u5176 CVSS \u5f97\u5206\u548c\u8aaa\u660e\u8a73\u5217\u65bc\u8868 1\u3002<\/p>\n<table style=\"width: 100.215%;\">\n<tbody>\n<tr>\n<td style=\"width: 23.8139%; text-align: center;\"><strong>CVE #<\/strong><\/td>\n<td style=\"width: 58.5095%; text-align: center;\"><strong>\u8aaa\u660e<\/strong><\/td>\n<td style=\"width: 31.3637%; text-align: center;\"><strong>CVSS \u5206\u6578<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 23.8139%; text-align: center;\"><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-49704\" target=\"_blank\" rel=\"noopener\">CVE-2025-49704<\/a><\/td>\n<td style=\"width: 58.5095%;\">Microsoft Office SharePoint \u5c0d\u4ee3\u78bc\u7522\u751f\u7684\u4e0d\u7576\u63a7\u5236 (\u7a0b\u5f0f\u78bc\u690d\u5165) \u5141\u8a31\u6388\u6b0a\u653b\u64ca\u8005\u900f\u904e\u7db2\u8def\u57f7\u884c\u4ee3\u78bc\u3002<\/td>\n<td style=\"width: 31.3637%; text-align: center;\">8.8<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 23.8139%; text-align: center;\"><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-49706\" target=\"_blank\" rel=\"noopener\">CVE-2025-49706<\/a><\/td>\n<td style=\"width: 58.5095%;\">Microsoft Office SharePoint \u4e2d\u4e0d\u7576\u7684\u9a57\u8b49\u5141\u8a31\u6388\u6b0a\u653b\u64ca\u8005\u900f\u904e\u7db2\u8def\u8a50\u9a19\u3002<\/td>\n<td style=\"width: 31.3637%; text-align: center;\">6.5<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 23.8139%; text-align: center;\"><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-53770\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a><\/td>\n<td style=\"width: 58.5095%;\">\u5728\u5167\u90e8\u90e8\u7f72 Microsoft SharePoint Server \u4e2d\u5c0d\u4e0d\u4fe1\u4efb\u7684\u8cc7\u6599\u9032\u884c\u53cd\u5e8f\u5217\u5316\uff0c\u53ef\u8b93\u672a\u7d93\u6388\u6b0a\u7684\u653b\u64ca\u8005\u900f\u904e\u7db2\u8def\u57f7\u884c\u7a0b\u5f0f\u78bc\u3002<\/td>\n<td style=\"width: 31.3637%; text-align: center;\">9.8<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 23.8139%; text-align: center;\"><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53771\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a><\/td>\n<td style=\"width: 58.5095%;\">\u5728 Microsoft Office SharePoint \u4e2d\uff0c\u4e0d\u7576\u5730\u9650\u5236\u53d7\u9650\u5236\u76ee\u9304\u7684\u8def\u5f91\u540d\u7a31 (\u8def\u5f91\u5468\u904a)\uff0c\u53ef\u8b93\u6388\u6b0a\u653b\u64ca\u8005\u900f\u904e\u7db2\u8def\u8a50\u9a19\u3002<\/td>\n<td style=\"width: 31.3637%; text-align: center;\">6.5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u8868 1.\u5f71\u97ff Microsoft SharePoint \u7684\u6700\u65b0\u5f31\u9ede\u6e05\u55ae\u3002<\/p>\n<p>\u9019\u4e9b\u5f31\u9ede\u90fd\u9069\u7528\u65bc Microsoft SharePoint Enterprise Server 2016 \u548c 2019\u3002CVE-2025-49706 \u548c CVE-2025-53770 \u4e5f\u9069\u7528\u65bc Microsoft SharePoint Server Subscription Edition\u3002Microsoft \u5df2\u8072\u660e Microsoft 365 \u4e2d\u7684 SharePoint Online \u4e0d\u53d7\u5f71\u97ff\u3002<\/p>\n<p>\u76ee\u524d\uff0c\u6211\u5011\u6b63\u8207 Microsoft \u5b89\u5168\u6027\u56de\u61c9\u4e2d\u5fc3 (MSRC) \u5bc6\u5207\u5408\u4f5c\uff0c\u4ee5\u78ba\u4fdd\u5ba2\u6236\u7372\u5f97\u6700\u65b0\u8cc7\u8a0a\uff0c\u4e26\u7a4d\u6975\u901a\u77e5\u53d7\u5f71\u97ff\u7684\u5ba2\u6236\u53ca\u5176\u4ed6\u7d44\u7e54\u3002\u6b64\u60c5\u6cc1\u767c\u5c55\u8fc5\u901f\uff0c\u56e0\u6b64\u5efa\u8b70\u60a8\u7d93\u5e38\u67e5\u770b Microsoft \u7684\u5efa\u8b70\u3002<\/p>\n<p>\u6211\u5011\u5df2\u89c0\u5bdf\u5230\u9019\u4e9b SharePoint \u5f31\u9ede\u906d\u5230\u7a4d\u6975\u5229\u7528\u3002\u653b\u64ca\u8005\u7e5e\u904e\u8eab\u4efd\u63a7\u5236\uff0c\u5305\u62ec\u591a\u56e0\u7d20\u9a57\u8b49 (MFA) \u548c\u55ae\u4e00\u767b\u5165 (SSO)\uff0c\u4ee5\u7372\u5f97\u5b58\u53d6\u6b0a\u9650\u3002\u4e00\u65e6\u9032\u5165\uff0c\u4ed6\u5011\u5c31\u6703\u6ef2\u900f\u654f\u611f\u8cc7\u6599\u3001\u90e8\u7f72\u6301\u4e45\u6027\u5f8c\u9580\u548c\u7aca\u53d6\u52a0\u5bc6\u91d1\u9470\u3002<\/p>\n<p>\u653b\u64ca\u8005\u5229\u7528\u9019\u4e9b\u5f31\u9ede\u9032\u5165\u7cfb\u7d71\uff0c\u5728\u67d0\u4e9b\u60c5\u6cc1\u4e0b\u5df2\u7d93\u5efa\u7acb\u8d77\u81ea\u5df1\u7684\u64da\u9ede\u3002\u5982\u679c\u60a8\u7684\u5167\u90e8\u90e8\u7f72 SharePoint \u66b4\u9732\u65bc\u7db2\u969b\u7db2\u8def\u4e2d\uff0c\u60a8\u61c9\u8a72\u5047\u8a2d\u60a8\u5df2\u7d93\u53d7\u5230\u653b\u64ca\u3002\u55ae\u9760\u4fee\u88dc\u7a0b\u5f0f\u4e0d\u8db3\u4ee5\u5b8c\u5168\u89e3\u9664\u5a01\u8105\u3002<\/p>\n<p>\u6211\u5011\u4fc3\u4f7f\u6b63\u5728\u57f7\u884c\u6613\u53d7\u653b\u64ca\u7684\u5167\u90e8\u90e8\u7f72 SharePoint \u7684\u7d44\u7e54\u7acb\u5373\u63a1\u53d6\u4e0b\u5217\u884c\u52d5\uff1a<\/p>\n<ul>\n<li>\u7acb\u5373\u5957\u7528\u6240\u6709\u76f8\u95dc\u4fee\u88dc\u7a0b\u5f0f\uff0c\u4e26\u5728\u4fee\u88dc\u7a0b\u5f0f\u53ef\u7528\u6642\u7acb\u5373\u5957\u7528<\/li>\n<li>\u8f2a\u63db\u6240\u6709\u5bc6\u78bc\u8cc7\u6599<\/li>\n<li>\u806f\u7e6b\u5c08\u696d\u7684\u4e8b\u4ef6\u56de\u61c9\u5718\u968a<\/li>\n<\/ul>\n<p>Palo Alto Networks \u4e5f\u5efa\u8b70\u9075\u5faa Microsoft \u7684\u4fee\u88dc\u7a0b\u5f0f\u6216\u7de9\u89e3\u6307\u5f15\u3002<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49704\" target=\"_blank\" rel=\"noopener\">CVE-2025-49704<\/a>\u3001<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49706\" target=\"_blank\" rel=\"noopener\">CVE-2025-49706<\/a>\u3001<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a> \u548c <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53771\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a>\u3002<\/p>\n<p><a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770 \u548c CVE-2025-53771 \u7684\u9644\u52a0\u6307\u5357<\/a>\u3002<\/p>\n<p>Palo Alto Networks \u5ba2\u6236\u53ef\u900f\u904e\u4ee5\u4e0b\u65b9\u5f0f\u66f4\u597d\u5730\u4fdd\u8b77\u514d\u53d7\u9019\u4e9b\u5f31\u9ede\u7684\u5f71\u97ff\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XPANSE\" target=\"_blank\" rel=\"noopener\">Cortex Xpanse<\/a> \u80fd\u5920\u8b58\u5225\u516c\u7528\u7db2\u969b\u7db2\u8def\u4e0a\u66b4\u9732\u7684 SharePoint \u88dd\u7f6e\uff0c\u4e26\u5c07\u9019\u4e9b\u767c\u73fe\u4e0a\u5831\u7d66\u9632\u79a6\u4eba\u54e1\u3002<\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> \u5177\u6709 1870-19884 (\u6216 1880-19902) \u5167\u5bb9\u7248\u672c\u7684 8.7 \u7248\u4ee3\u7406\u7a0b\u5f0f\u5c07\u5c01\u9396\u8207 CVE-2025-49704 \u548c CVE-2025-49706 \u9023\u9396\u653b\u64ca\u76f8\u95dc\u7684\u5df2\u77e5\u653b\u64ca\u6d3b\u52d5\uff0c\u4e26\u56de\u5831\u8207 CVE-2025-53770 \u548c CVE-2025-53771 \u9023\u9396\u653b\u64ca\u76f8\u95dc\u7684\u5df2\u77e5\u653b\u64ca\u6d3b\u52d5\u3002<\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XSOAR\" target=\"_blank\" rel=\"noopener\">Cortex <\/a> \u5df2\u767c\u5e03\u4e00\u500b\u8173\u672c\uff0c\u4f5c\u70ba\u5176 Cortex \u56de\u61c9\u8207\u4fee\u5fa9\u5957\u4ef6 (<a href=\"https:\/\/xsoar.pan.dev\/docs\/reference\/playbooks\/cve-2025-49704-and-cve-2025-49706-and-cve-2025-53770-and-cve-2025-53771---microsoft-share-point-tool-shell-vulnerability-chain\" target=\"_blank\" rel=\"noopener\">Cortex Response and Remediation Pack<\/a>) \u7684\u4e00\u90e8\u5206\u3002<\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-CLOUD\/Cortex-Cloud-Posture-Management-Release-Notes\/July-2025\" target=\"_blank\" rel=\"noopener\">Cortex Cloud<\/a> 1.2 \u7248\u53ef\u4ee5\u5075\u6e2c\u76f8\u95dc\u6f0f\u6d1e\u3001\u5c01\u9396\u8207 CVE-2025-49704 \u53ca CVE-2025-49706 \u653b\u64ca\u93c8\u76f8\u95dc\u7684\u5df2\u77e5\u60e1\u610f\u5229\u7528\u6d3b\u52d5\uff0c\u4e26\u56de\u5831\u8207 CVE-2025-53770 \u53ca CVE-2025-53771 \u653b\u64ca\u93c8\u76f8\u95dc\u7684\u5df2\u77e5\u60e1\u610f\u5229\u7528\u6d3b\u52d5\u3002<\/li>\n<li>\u300c\u9032\u968e URL \u904e\u6ffe\u300d(<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a>) \u8207\u300c\u9032\u968e DNS \u5b89\u5168\u6027\u300d(<a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced DNS Security<\/a>) \u6703\u5c07\u8207\u6b64\u6d3b\u52d5\u76f8\u95dc\u7684\u5df2\u77e5 IP \u4f4d\u5740\u8b58\u5225\u70ba\u60e1\u610f\u3002<\/li>\n<li>\u642d\u8f09\u300c\u9032\u968e\u5a01\u8105\u9632\u79a6\u300d(<a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\">Advanced Threat Prevention<\/a>) \u5b89\u5168\u8a02\u95b1\u7684\u300c\u6b21\u4e16\u4ee3\u9632\u706b\u7246\u300d(<a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\">Next-Generation Firewall<\/a>)\uff0c\u53ef\u5354\u52a9\u5c01\u9396\u5c0d CVE-2025-49704\u3001CVE-2025-49706 \u53ca CVE-2025-53771 \u7684\u60e1\u610f\u5229\u7528\u3002<\/li>\n<li><a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\">Unit 42 \u4e8b\u4ef6\u56de\u61c9\u5718\u968a<\/a>\u4e5f\u53ef\u5354\u52a9\u8655\u7406\u5165\u4fb5\uff0c\u6216\u63d0\u4f9b\u4e3b\u52d5\u8a55\u4f30\u3002<\/li>\n<\/ul>\n<table style=\"width: 95.9098%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>\u8a0e\u8ad6\u7684\u5f31\u9ede<\/b><\/td>\n<td style=\"width: 224.484%;\"><span style=\"font-weight: 400;\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/tag\/cve-2025-49704-zh-hant\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-49704<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/tag\/cve-2025-49706-zh-hant\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-49706<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/tag\/cve-2025-53770-zh-hant\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/tag\/cve-2025-53771-zh-hant\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a><\/span><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><a id=\"post-148484-_heading=h.6qt45k8fjwma\"><\/a>\u5f31\u9ede\u7684\u8a73\u7d30\u8cc7\u8a0a<\/h2>\n<p>CVE-2025-49704 \u548c CVE-2025-49706 \u662f\u5f71\u97ff Microsoft SharePoint \u7684\u4e00\u7d44\u91cd\u5927\u5f31\u9ede\uff0c\u5b83\u5141\u8a31\u672a\u7d93\u8eab\u4efd\u9a57\u8b49\u7684\u5a01\u8105\u884c\u70ba\u8005\u5b58\u53d6\u901a\u5e38\u53d7\u5230\u9650\u5236\u7684\u529f\u80fd\u3002\u7576\u9019\u4e9b\u6f0f\u6d1e\u88ab\u4e32\u9023\u5229\u7528\u6642\uff0c\u653b\u64ca\u8005\u4fbf\u80fd\u5728\u6613\u53d7\u653b\u64ca\u7684 Microsoft SharePoint \u5be6\u4f8b\u4e0a\u57f7\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n<p>\u76ee\u524d\u7684\u6d3b\u8e8d\u653b\u64ca\u6b63\u5229\u7528 CVE-2025-49706 \u7684\u4e00\u500b\u8b8a\u9ad4\uff0c\u9396\u5b9a\u672c\u5730\u90e8\u7f72 (on-premises) \u7684 SharePoint Server \u5ba2\u6236\u3002\u9019\u500b\u65b0\u7684\u8b8a\u9ad4\u5df2\u88ab\u6307\u6d3e\u70ba CVE-2025-53770\u3002\u6b64\u5916\uff0c\u5fae\u8edf\u9084\u5ba3\u5e03\u4e86\u7b2c\u56db\u500b SharePoint \u6f0f\u6d1e\uff0c\u7de8\u865f\u70ba CVE-2025-53771\u3002<\/p>\n<p>\u8b93\u9019\u4e9b\u6f0f\u6d1e\u7279\u5225\u4ee4\u4eba\u64d4\u6182\u7684\u662f\uff0cSharePoint \u8207\u5fae\u8edf\u5e73\u53f0\u6df1\u5ea6\u6574\u5408\uff0c\uff0c\u5982 Office\u3001Teams\u3001OneDrive \u548c Outlook\uff0c\u9019\u4e9b\u670d\u52d9\u4e2d\u5b58\u6709\u5c0d\u653b\u64ca\u8005\u6975\u5177\u50f9\u503c\u7684\u654f\u611f\u8cc7\u8a0a\u3002\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u4e00\u65e6\u767c\u751f\u5165\u4fb5\uff0c\u5371\u5bb3\u4e0d\u6703\u50c5\u9650\u65bc\u55ae\u4e00\u7cfb\u7d71\uff0c\u800c\u662f\u70ba\u6574\u500b\u7db2\u8def\u6253\u958b\u4e86\u9580\u6236\u3002<\/p>\n<h2><a id=\"post-148484-_heading=h.vtiufacmwz17\"><\/a>\u76ee\u524d\u5229\u7528 CVE-2025-49706\u3001CVE-2025-49704\u3001CVE-2025-53770 \u53ca CVE-2025-53771 \u7684\u653b\u64ca\u7bc4\u570d\u3002<\/h2>\n<h3><b>2025\u5e747\u670831\u65e5\u66f4\u65b0 \u2013 \u5229\u7528 ToolShell \u90e8\u7f72\u52d2\u7d22\u8edf\u9ad4<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">\u5c0d <\/span><b>ToolShell<\/b><span style=\"font-weight: 400;\"> \u6f0f\u6d1e\u5229\u7528\u7684\u8abf\u67e5\u63ed\u9732\u4e86 <\/span>4L4MD4R<span style=\"font-weight: 400;\"> \u52d2\u7d22\u8edf\u9ad4\u7684\u90e8\u7f72\uff0c\u8a72\u8edf\u9ad4\u70ba\u958b\u6e90 <\/span><a href=\"https:\/\/github.com\/mauri870\/ransomware\/tree\/master\" target=\"_blank\" rel=\"noopener\">Mauri870<\/a><span style=\"font-weight: 400;\"> \u52d2\u7d22\u8edf\u9ad4\u7684\u8b8a\u7a2e\u30022025\u5e747\u670827\u65e5\u4e00\u6b21\u5931\u6557\u7684\u6f0f\u6d1e\u5229\u7528\u5617\u8a66\u4e2d\uff0c\u7531\u65bc\u6d89\u53ca\u4e00\u689d\u7d93\u7de8\u78bc\u7684 PowerShell \u6307\u4ee4\uff0c\u6211\u5011\u767c\u73fe\u4e00\u500b\u65e8\u5728\u5f9e <\/span><span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-weight: 400;\">hxxps:\/\/ice.theinnovationfactory[.]it\/static\/4l4md4r.exe<\/span><span style=\"font-weight: 400;\"> (IP\u4f4d\u5740 <\/span><span style=\"font-weight: 400;\">145.239.97[.]206<\/span><\/span><span style=\"font-weight: 400;\">) \u4e0b\u8f09\u4e26\u57f7\u884c\u52d2\u7d22\u8edf\u9ad4\u7684\u8f09\u5165\u5668\u3002\u8a72 PowerShell \u6307\u4ee4\u8a66\u5716\u505c\u7528\u5373\u6642\u76e3\u63a7\u4e26\u7e5e\u904e\u6191\u8b49\u9a57\u8b49\u3002<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u5c0d <\/span>4L4MD4R \u916c\u8f09 (payload) \u7684\u5206\u6790\u986f\u793a\uff0c\u5b83\u7d93\u904e UPX \u52a0\u6bbc\uff0c\u4e26\u4ee5 GoLang<span style=\"font-weight: 400;\"> \u8a9e\u8a00\u7de8\u5beb\u3002\u57f7\u884c\u5f8c\uff0c\u8a72\u6a23\u672c\u6703\u5728\u8a18\u61b6\u9ad4\u4e2d\u89e3\u5bc6\u4e00\u500b\u7d93 <\/span>AES<b> \u52a0\u5bc6<\/b><span style=\"font-weight: 400;\">\u7684\u916c\u8f09\uff0c\u5206\u914d\u8a18\u61b6\u9ad4\u4ee5\u8f09\u5165\u89e3\u5bc6\u5f8c\u7684 PE \u6a94\u6848\uff0c\u4e26\u5efa\u7acb\u4e00\u500b\u65b0\u7684\u57f7\u884c\u7dd2\u4f86\u57f7\u884c\u5b83\u3002\u8a72\u52d2\u7d22\u8edf\u9ad4\u6703\u52a0\u5bc6\u6a94\u6848\u4e26\u8981\u6c42\u652f\u4ed8 <\/span>0.005 BTC<span style=\"font-weight: 400;\"> \u7684\u8d16\u91d1\uff0c\u540c\u6642\u63d0\u4f9b\u806f\u7d61\u96fb\u5b50\u90f5\u4ef6 (<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">m4_cruise@proton[.]me<\/span><span style=\"font-weight: 400;\">) \u548c\u4e00\u500b\u6bd4\u7279\u5e63\u9322\u5305\u5730\u5740 (<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">bc1qqxqe9vsvjmjqc566fgqsgnhlh87fckwegmtg6p<\/span><span style=\"font-weight: 400;\">) \u4ee5\u9032\u884c\u652f\u4ed8\u3002<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u6b64\u52d2\u7d22\u8edf\u9ad4\u6703\u5728\u684c\u9762\u4e0a\u751f\u6210\u5169\u500b\u6a94\u6848\uff1a<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">DECRYPTION_INSTRUCTIONS.html<\/span><span style=\"font-weight: 400;\"> (\u52d2\u7d22\u8a0a\u606f) \u548c <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ENCRYPTED_LIST.html<\/span><span style=\"font-weight: 400;\"> (\u5df2\u52a0\u5bc6\u6a94\u6848\u5217\u8868)\uff0c\u6b64\u884c\u70ba\u8207\u5728 <\/span>Mauri870<span style=\"font-weight: 400;\"> \u52d2\u7d22\u8edf\u9ad4\u539f\u59cb\u78bc\u4e2d\u6240\u89c0\u5bdf\u5230\u7684\u4e00\u81f4\u3002\u6b64\u5916\uff0c\u8a72\u6a23\u672c\u9084\u914d\u7f6e\u4e86\u4e00\u500b C2 \u4f3a\u670d\u5668 <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">bpp.theinnovationfactory[.]it:445<\/span><span style=\"font-weight: 400;\">\uff0c\u4e26\u900f\u904e POST \u8acb\u6c42\u767c\u9001\u52a0\u5bc6\u7684 JSON \u7269\u4ef6\u3002<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u5716 1a \u8207 1b \u5206\u5225\u70ba\u653b\u64ca\u8005\u7559\u4e0b\u7684\u52d2\u7d22\u8a0a\u606f\u53ca\u89e3\u5bc6\u8aaa\u660e\u3002<\/span><\/p>\n<figure id=\"attachment_148690\" aria-describedby=\"caption-attachment-148690\" style=\"width: 1555px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148690 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/2025-07-31-TTI-post-image-01.png\" alt=\"\u96fb\u8166\u87a2\u5e55\u4e0a\u986f\u793a\u7684\u8d16\u91d1\u689d\uff0c\u6587\u5b57\u8981\u6c42\u4ee5\u52a0\u5bc6\u8ca8\u5e63\u4ed8\u6b3e\u4ee5\u89e3\u5bc6\u6a94\u6848\uff0c\u4e26\u8b66\u544a\u4e0d\u8981\u806f\u7d61\u7576\u5c40\u6216\u7ac4\u6539\u8cc7\u6599\u3002\u5b57\u689d\u4e2d\u5305\u542b\u4ed8\u6b3e\u6307\u793a\uff0c\u4e26\u5a01\u8105\u82e5\u4e0d\u6eff\u8db3\u8981\u6c42\u5c31\u6703\u522a\u9664\u6a94\u6848\u3002\" width=\"1555\" height=\"958\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/2025-07-31-TTI-post-image-01.png 1555w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/2025-07-31-TTI-post-image-01-714x440.png 714w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/2025-07-31-TTI-post-image-01-1136x700.png 1136w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/2025-07-31-TTI-post-image-01-768x473.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/2025-07-31-TTI-post-image-01-1536x946.png 1536w\" sizes=\"(max-width: 1555px) 100vw, 1555px\" \/><figcaption id=\"caption-attachment-148690\" class=\"wp-caption-text\">\u5716 1a. 4L4MD4R \u7684\u8d16\u91d1\u689d\u3002<\/figcaption><\/figure>\n<figure id=\"attachment_148701\" aria-describedby=\"caption-attachment-148701\" style=\"width: 944px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148701 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/image-with-victim-ID-redacted.png\" alt=\"\u96fb\u8166\u87a2\u5e55\u622a\u5716\uff0c\u5728\u6587\u5b57\u7de8\u8f2f\u5668\u4e2d\u986f\u793a\u540d\u70ba\u300cDECRYPTION_INSTRUCTIONS.txt\u300d\u7684\u52d2\u7d22\u8edf\u9ad4\u8aaa\u660e\u3002\u8a72\u5099\u5fd8\u9304\u8981\u6c42\u4ee5 Bitcoin \u4ed8\u6b3e\u4f86\u89e3\u5bc6\u6a94\u6848\uff0c\u4e26\u63d0\u4f9b\u806f\u7d61\u8cc7\u8a0a\u3002\u70ba\u4e86\u4fdd\u8b77\u96b1\u79c1\uff0c\u90e8\u5206\u8cc7\u8a0a\u5df2\u522a\u9664\u3002\" width=\"944\" height=\"729\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/image-with-victim-ID-redacted.png 944w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/image-with-victim-ID-redacted-570x440.png 570w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/image-with-victim-ID-redacted-906x700.png 906w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/image-with-victim-ID-redacted-768x593.png 768w\" sizes=\"(max-width: 944px) 100vw, 944px\" \/><figcaption id=\"caption-attachment-148701\" class=\"wp-caption-text\">\u5716 1b. \u89e3\u5bc6\u6307\u4ee4\u3002<\/figcaption><\/figure>\n<h3><a id=\"post-148484-_heading=h.k205mvbj5zsm\"><\/a><strong>2025 \u5e74 7 \u6708 29 \u65e5\u66f4\u65b0<\/strong><\/h3>\n<p>Unit 42 \u5f9e\u5167\u90e8\u9059\u6e2c\u4f86\u6e90\u6536\u96c6\u4e26\u5206\u6790\u4e86\u8207 CVE-2025-53770 \u6f0f\u6d1e\u5229\u7528\u5617\u8a66\u76f8\u95dc\u7684\u6d3b\u52d5\u3002\u6211\u5011\u6700\u65e9\u65bc 2025 \u5e74 7 \u6708 17 \u65e5\u4e16\u754c\u5354\u8abf\u6642\u9593 (UTC) 08:40 \u9996\u6b21\u89c0\u5bdf\u5230 CVE-2025-53770 \u7684\u6f0f\u6d1e\u5229\u7528\u6d3b\u52d5\uff0c\u8a72\u6d3b\u52d5\u6301\u7e8c\u81f3 2025 \u5e74 7 \u6708 22 \u65e5\uff0c\u4f86\u6e90\u65bc\u6211\u5011\u5728\u540d\u70ba CL-CRI-1040 \u7684\u4e2d\u6240\u8ffd\u8e64\u7684 IP \u4f4d\u5740\u3002\u5f9e 2025 \u5e74 7 \u6708 17 \u65e5 UTC 06:58 \u958b\u59cb\uff0c\u6211\u5011\u89c0\u5bdf\u5230\u8207 CL-CRI-1040 \u76f8\u95dc\u7684 IP \u4f4d\u5740\u5728\u767c\u52d5\u6f0f\u6d1e\u5229\u7528\u653b\u64ca\u524d\uff0c\u5148\u5c0d SharePoint \u4f3a\u670d\u5668\u9032\u884c\u6e2c\u8a66\uff0c\u4ee5\u78ba\u8a8d\u5176\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\u3002\u6b64\u5916\uff0c\u6211\u5011\u5728\u6f0f\u6d1e\u5229\u7528\u5617\u8a66\u4e2d\u6ce8\u610f\u5230\u4e00\u7a2e\u6a21\u5f0f\uff0c\u8868\u660e\u653b\u64ca\u8005\u6b63\u5728\u4f7f\u7528\u4e00\u4efd\u975c\u614b\u7684 SharePoint \u4f3a\u670d\u5668\u653b\u64ca\u76ee\u6a19\u6e05\u55ae\u3002<\/p>\n<p>\u8207\u6b64\u6d3b\u52d5\u76f8\u95dc\u7684\u653b\u64ca\u8005\u4f3c\u4e4e\u5728\u9019\u6bb5\u77ed\u6642\u9593\u5167\u8abf\u6574\u4e86\u5176\u6230\u8853\u8207\u6280\u8853 (tactics and techniques)\uff0c\u900f\u904e\u5feb\u901f\u66f4\u63db\u57fa\u790e\u8a2d\u65bd\u548c\u916c\u8f09 (payloads)\uff0c\u8a66\u5716\u898f\u907f\u5075\u6e2c\u3002\u9019\u4e9b\u653b\u64ca\u8005\u5728\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u5f8c\uff0c\u5c07\u5176\u916c\u8f09\u5f9e .NET \u6a21\u7d44\u8f49\u8b8a\u70ba\u529f\u80fd\u76f8\u4f3c\u7684 Web Shell\u3002\u5728\u516c\u958b\u90e8\u843d\u683c\u8a0e\u8ad6\u4e86\u9019\u4e9b Web Shell \u4e4b\u5f8c\uff0c\u6211\u5011\u89c0\u5bdf\u5230\u653b\u64ca\u8005\u53c8\u6062\u5fa9\u4f7f\u7528\u5148\u524d\u898b\u904e\u7684 .NET \u6a21\u7d44\u4f5c\u70ba\u916c\u8f09\u3002<\/p>\n<p>\u5f9e\u6b78\u56e0 (attribution) \u7684\u89d2\u5ea6\u4f86\u770b\uff0c\u4f5c\u70ba CL-CRI-1040 \u4e00\u90e8\u5206\u5229\u7528 CVE-2025-53770 \u7684\u5176\u4e2d\u4e00\u500b IP \u4f4d\u5740\uff0c\u8207\u5fae\u8edf (<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a>) \u6240\u8a0e\u8ad6\u7684 Storm-2603 \u6709\u6240\u91cd\u758a\u3002\u6211\u5011\u76ee\u524d\u6b63\u5728\u7814\u7a76\u6b64\u53e2\u96c6\uff0c\u4ee5\u9032\u4e00\u6b65\u4e86\u89e3\u76f8\u95dc\u7684\u653b\u64ca\u8005\u3002<\/p>\n<h3><strong>\u521d\u6b65\u5075\u5bdf<\/strong><\/h3>\n<p>\u5728\u5617\u8a66\u5229\u7528 CVE-2025-53770 \u4e4b\u524d\uff0c\u5a01\u8105\u884c\u70ba\u8005\u4f3c\u4e4e\u9032\u884c\u4e86\u521d\u6b65\u7684\u5075\u5bdf\u968e\u6bb5\uff0c\u4ee5\u78ba\u8a8d\u9060\u7aef\u4f3a\u670d\u5668\u662f\u5426\u904b\u884c\u4e86\u5177\u5099\u6f0f\u6d1e\u7684 SharePoint \u7248\u672c\u3002\u5f9e 2025 \u5e74 7 \u6708 17 \u65e5 UTC 06:58 \u958b\u59cb\uff0c\u6211\u5011\u89c0\u5bdf\u5230\u4f86\u81ea\u4ee5\u4e0b IP \u4f4d\u5740\u7684 HTTP GET \u8acb\u6c42\uff0c\u5176\u8acb\u6c42\u8def\u5f91\u70ba <span style=\"font-family: 'courier new', courier, monospace;\">\/_layouts\/15\/ToolPane.aspx?DisplayMode=Edit&amp;a=\/ToolPane.asp<\/span>x\uff0cUser-Agent \u70ba <span style=\"font-family: 'courier new', courier, monospace;\">python-requests\/2.32.3<\/span>\uff0c\u4e14\u6c92\u6709 referrer \u6b04\u4f4d\uff1a<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45.86.231[.]241<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">51.161.152[.]26<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">91.236.230[.]76<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">92.222.167[.]88<\/span><\/li>\n<\/ul>\n<p>\u6839\u64da Cortex Xpanse \u7684\u9059\u6e2c\u6578\u64da\uff0c\u6240\u6709\u9019\u4e9b IP \u4f4d\u5740\u90fd\u662f\u8207 <a href=\"https:\/\/safing.io\/spn\/\" target=\"_blank\" rel=\"noopener\">Safing Privacy Network (SPN)<\/a> \u76f8\u95dc\u7684<strong>\u51fa\u53e3\u7bc0\u9ede<\/strong>\u3002\u6211\u5011\u8a8d\u70ba\uff0c\u653b\u64ca\u8005\u8a66\u5716\u900f\u904e SPN \u5f9e\u4e00\u500b\u6e2c\u8a66\u8173\u672c\u767c\u9001\u9019\u4e9b HTTP GET \u8acb\u6c42\uff0c\u4ee5\u4fbf\u5728\u767c\u52d5\u653b\u64ca\u524d\u6aa2\u67e5\u5176\u76ee\u6a19\u6e05\u55ae\uff0c\u5f9e\u800c\u96b1\u85cf\u81ea\u8eab\u4f4d\u7f6e\u3002\u6211\u5011\u4e4b\u6240\u4ee5\u8a8d\u70ba\u653b\u64ca\u8005\u4f7f\u7528\u4e86\u76ee\u6a19\u6e05\u55ae\uff0c\u662f\u56e0\u70ba\u4f86\u81ea\u5075\u5bdf\u968e\u6bb5\u7684 HTTP GET \u8acb\u6c42\uff0c\u8207\u5f8c\u7e8c\u4f86\u81ea\u4ee5\u4e0b IP \u4f4d\u5740\u7684\u6f0f\u6d1e\u5229\u7528 HTTP POST \u8acb\u6c42\uff0c\u5176\u91dd\u5c0d\u76ee\u6a19\u7684\u9806\u5e8f\u5b8c\u5168\u76f8\u540c\uff1a<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">96.9.125[.]147<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">107.191.58[.]76<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">104.238.159[.]149<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-148484-_heading=h.ey1d756ne6be\"><\/a><strong>\u6295\u653e\u7684\u916c\u8f09<\/strong><\/h3>\n<p>\u5982\u524d\u6240\u8ff0\uff0c\u4ee5\u4e0b IP \u4f4d\u5740\u7686\u8207 CL-CRI-1040 \u76f8\u95dc\uff0c\u5118\u7ba1\u5b83\u5011\u5728\u6210\u529f\u5229\u7528 CVE-2025-53770 \u5f8c\u6295\u653e\u4e86\u4e0d\u540c\u7684\u916c\u8f09\uff1a<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">96.9.125[.]147<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">107.191.58[.]76<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">104.238.159[.]149<\/span><\/li>\n<\/ul>\n<p>\u9059\u6e2c\u6578\u64da\u8b49\u5be6\uff0c<span style=\"font-family: 'courier new', courier, monospace;\">96.9.125[.]147<\/span> \u65bc 7 \u6708 17 \u65e5 UTC 08:58 \u767c\u8d77\u4e86 SharePoint \u6f0f\u6d1e\u5229\u7528\u653b\u64ca\uff0c\u4e26\u6295\u653e\u4e00\u500b\u540d\u70ba <a href=\"https:\/\/www.virustotal.com\/gui\/file\/4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030\" target=\"_blank\" rel=\"noopener\"><span style=\"font-family: 'courier new', courier, monospace;\">qlj22mpc<\/span><\/a> \u7684\u5ba2\u88fd\u5316 .NET \u7d44\u4ef6\u6a21\u7d44\u4f5c\u70ba\u916c\u8f09\u3002\u6b21\u65e5\uff087 \u6708 18 \u65e5\uff09\uff0c\u8a72 IP \u4f4d\u5740\u6295\u653e\u4e86\u4e00\u500b\u540d\u70ba <span style=\"font-family: 'courier new', courier, monospace;\">bjcloiyq<\/span> \u7684\u65b0\u916c\u8f09\u3002\u9019\u5169\u500b .NET \u6a21\u7d44\u90fd\u6703\u5f9e SharePoint \u4f3a\u670d\u5668\u7aca\u53d6\u52a0\u5bc6\u7684 <span style=\"font-family: 'courier new', courier, monospace;\">MachineKeys<\/span>\uff0c\u4e26\u5c07\u5176\u4ee5\u7ba1\u9053\u7b26\u865f\uff08\u300c<span style=\"font-family: 'courier new', courier, monospace;\">|<\/span>\u300d\uff09\u5206\u9694\u7684\u5b57\u4e32\u5f62\u5f0f\u5305\u542b\u5728 HTTP \u56de\u61c9\u4e2d\uff0c\u653b\u64ca\u8005\u53ef\u5229\u7528\u9019\u4e9b\u91d1\u9470\u65bc\u672a\u4f86\u5b58\u53d6\u8a72\u4f3a\u670d\u5668\u3002<\/p>\n<p>\u5728 7 \u6708 18 \u65e5\u548c 19 \u65e5\uff0cCL-CRI-1040 \u53e2\u96c6\u7684 IP \u4f4d\u5740 <span style=\"font-family: 'courier new', courier, monospace;\">107.191.58[.]76<\/span> \u548c <span style=\"font-family: 'courier new', courier, monospace;\">104.238.159[.]149<\/span> \u5728\u6210\u529f\u5229\u7528 CVE-2025-53770 \u5f8c\u6295\u653e\u4e86\u4e00\u7a2e\u5168\u65b0\u7684\u916c\u8f09\u3002\u9019\u4e9b IP \u4f4d\u5740\u4e26\u975e\u904b\u884c .NET \u6a21\u7d44\uff0c\u800c\u662f\u6295\u653e\u4e86\u4e00\u500b\u916c\u8f09\uff0c\u8a72\u916c\u8f09\u6703\u904b\u884c\u4e00\u500b\u7de8\u78bc\u7684 PowerShell \u547d\u4ee4\uff08\u8a73\u898b\u8b8a\u9ad4 2 \u548c\u8b8a\u9ad4 3 \u90e8\u5206\u7684\u8a0e\u8ad6\uff09\uff0c\u5c07\u4e00\u500b web shell \u5132\u5b58\u70ba <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/www.virustotal.com\/gui\/file\/92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\" target=\"_blank\" rel=\"noopener\">spinstall0.aspx<\/a>\u3002<\/span><\/p>\n<p>\u6b64 web shell \u7684\u7528\u9014\u540c\u6a23\u662f\u7aca\u53d6 SharePoint \u4f3a\u670d\u5668\u7684\u52a0\u5bc6 MachineKeys\u3002\u7576\u5b58\u53d6 <span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span> \u6642\uff0c\u5b83\u6703\u4ee5\u7ba1\u9053\u7b26\u865f\uff08\u300c<span style=\"font-family: 'courier new', courier, monospace;\">|<\/span>\u300d\uff09\u5206\u9694\u7684\u5b57\u4e32\u5f62\u5f0f\u56de\u50b3\u91d1\u9470\uff0c\u5176\u56de\u61c9\u7684 <span style=\"font-family: 'courier new', courier, monospace;\">MachineKeys<\/span> \u6b04\u4f4d\u8207\u9806\u5e8f\u548c\u524d\u8ff0\u7684 .NET \u6a21\u7d44\u5b8c\u5168\u76f8\u540c\u3002<\/p>\n<p>\u5229\u7528 CVE-2025-53770 \u7684 CL-CRI-1040 \u76f8\u95dc\u653b\u64ca\u8005\uff0c\u5c55\u73fe\u51fa\u5728\u884c\u52d5\u4e2d\u8abf\u6574\u5176\u6230\u8853\u8207\u6280\u8853\u7684\u80fd\u529b\u3002\u4ed6\u5011\u5148\u662f\u5c07\u916c\u8f09\u5f9e .NET \u6a21\u7d44\u8f49\u70ba\u529f\u80fd\u76f8\u4f3c\u7684 web shell\uff0c\u7136\u5f8c\u5728 Web Shell \u88ab\u516c\u958b\u90e8\u843d\u683c\uff08\u4f8b\u5982 <a href=\"https:\/\/research.eye.security\/sharepoint-under-siege\/\" target=\"_blank\" rel=\"noopener\">Eye Security<\/a> \u95dc\u65bc CVE-2025-53770 \u6f0f\u6d1e\u5229\u7528\u7684\u7814\u7a76\u90e8\u843d\u683c\uff09\u63ed\u9732\u5f8c\uff0c\u53c8\u6062\u5fa9\u4f7f\u7528 .NET \u6a21\u7d44\u4f5c\u70ba\u916c\u8f09\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.gvl6pjj4zav8\"><\/a><strong>\u653b\u64ca\u76ee\u6a19\u6e05\u55ae<\/strong><\/h3>\n<p>\u6211\u5011\u6ce8\u610f\u5230\u4e00\u500b\u653b\u64ca\u6a21\u5f0f\uff0c\u8868\u660e\u653b\u64ca\u8005\u63a1\u7528\u4e86\u4e00\u4efd\u76ee\u6a19\u6e05\u55ae\u3002\u6211\u5011\u6309\u6642\u9593\u9806\u5e8f\u6392\u5217\u5176\u6d3b\u52d5\uff0c\u4e26\u5c0d\u56db\u500b\u4e0d\u540c\u76ee\u6a19\u7684\u6d3b\u52d5\u9032\u884c\u4e86\u62bd\u6a23\u5206\u6790\u3002\u70ba\u4fdd\u8b77\u53d7\u5f71\u97ff\u7684\u7d44\u7e54\uff0c\u6211\u5011\u5c07\u9019\u4e9b\u76ee\u6a19\u7a31\u70ba IPv4 1\u3001IPv4 2\u3001IPv4 3 \u548c Domain 1\u3002<\/p>\n<p>\u9996\u5148\uff0c\u6211\u5011\u89c0\u5bdf\u5230 <span style=\"font-family: 'courier new', courier, monospace;\">91.236.230[.]76<\/span> \u6309\u7167\u4ee5\u4e0b\u9806\u5e8f\u767c\u9001\u4e86\u5c0d <span style=\"font-family: 'courier new', courier, monospace;\">\/_layouts\/15\/ToolPane.aspx?DisplayMode=Edit&amp;a=\/ToolPane.aspx<\/span> \u7684 HTTP GET \u8acb\u6c42\uff1a<\/p>\n<ul>\n<li>IPv4 1 \u2013 2025 \u5e74 7 \u6708 17 \u65e5, 07:29 UTC<\/li>\n<li>IPv4 2 \u2013 2025 \u5e74 7 \u6708 17 \u65e5, 07:32 UTC<\/li>\n<li>IPv4 3 \u2013 2025 \u5e74 7 \u6708 17 \u65e5, 07:33 UTC<\/li>\n<li>Domain 1 \u2013 2025 \u5e74 7 \u6708 17 \u65e5, 07:52 UTC<\/li>\n<\/ul>\n<p>\u63a5\u8457\uff0c\u6211\u5011\u89c0\u5bdf\u5230 <span style=\"font-family: 'courier new', courier, monospace;\">96.9.125[.]147<\/span> \u9019\u500b IP \u4f4d\u5740\u5728\u5617\u8a66\u5229\u7528 SharePoint \u6f0f\u6d1e\u6642\uff0c\u5c0d\u76f8\u540c\u7684\u76ee\u6a19\u5225\u540d\uff0c\u6309\u7167<strong>\u5b8c\u5168\u76f8\u540c\u7684\u9806\u5e8f<\/strong>\u767c\u9001\u4e86\u5c0d <span style=\"font-family: 'courier new', courier, monospace;\">\/_layouts\/15\/ToolPane.aspx?DisplayMode=Edit&amp;a=\/ToolPane.aspx<\/span> \u7684 HTTP POST \u8acb\u6c42\uff0c\u5176 referer \u70ba <span style=\"font-family: 'courier new', courier, monospace;\">\/_layouts\/SignOut.aspx<\/span>\uff1a<\/p>\n<ul>\n<li>IPv4 1 - 2025 \u5e74 7 \u6708 17 \u65e5, 09:31 UTC<\/li>\n<li>IPv4 2 - 2025 \u5e74 7 \u6708 17 \u65e5, 09:36 UTC<\/li>\n<li>IPv4 3 - 2025 \u5e74 7 \u6708 17 \u65e5, 09:37 UTC<\/li>\n<li>Domain 1 - 2025 \u5e74 7 \u6708 17 \u65e5, 10:17 UTC<\/li>\n<\/ul>\n<p>\u6b21\u65e5\uff0c\u4e5f\u5c31\u662f 2025 \u5e74 7 \u6708 18 \u65e5\uff0c\u6211\u5011\u770b\u5230 <span style=\"font-family: 'courier new', courier, monospace;\">107.191.58[.]76<\/span> \u767c\u9001\u4e86\u5c0d <span style=\"font-family: 'courier new', courier, monospace;\">\/_layouts\/15\/ToolPane.aspx?DisplayMode=Edit&amp;a=\/ToolPane.aspx<\/span> \u7684 HTTP POST \u8acb\u6c42\uff0c\u96a8\u5f8c\u662f\u5c0d <span style=\"font-family: 'courier new', courier, monospace;\">\/_layouts\/15\/spinstall0.aspx<\/span> \u7684 HTTP GET \u8acb\u6c42\uff0c\u5176\u9806\u5e8f\u4f9d\u7136\u76f8\u540c\uff1a<\/p>\n<ul>\n<li>IPv4 1 - 2025 \u5e74 7 \u6708 18 \u65e5, 14:01 UTC<\/li>\n<li>IPv4 2 - 2025 \u5e74 7 \u6708 18 \u65e5, 14:05 UTC<\/li>\n<li>IPv4 3 - 2025 \u5e74 7 \u6708 18 \u65e5, 14:07 UTC<\/li>\n<li>Domain 1 - 2025 \u5e74 7 \u6708 18 \u65e5, 15:01 UTC<\/li>\n<\/ul>\n<p>\u6700\u5f8c\uff0c\u5728\u9694\u5929\uff082025 \u5e74 7 \u6708 19 \u65e5\uff09\uff0c\u6211\u5011\u770b\u5230\u4f86\u81ea <span style=\"font-family: 'courier new', courier, monospace;\">104.238.159[.]149<\/span> \u7684 HTTP POST \u548c GET \u8acb\u6c42\u6d3b\u52d5\uff0c\u8207 <span style=\"font-family: 'courier new', courier, monospace;\">107.191.58[.]76<\/span> \u7684\u6a21\u5f0f\u5982\u51fa\u4e00\u8f4d\uff1a<\/p>\n<ul>\n<li>IPv4 1 - 2025 \u5e74 7 \u6708 19 \u65e5, 03:43 UTC<\/li>\n<li>IPv4 2 - 2025 \u5e74 7 \u6708 19 \u65e5, 03:48 UTC<\/li>\n<li>IPv4 3 - 2025 \u5e74 7 \u6708 19 \u65e5, 03:49 UTC<\/li>\n<li>Domain 1 - 2025 \u5e74 7 \u6708 19 \u65e5, 04:41 UTC<\/li>\n<\/ul>\n<p>\u4e0a\u8ff0\u6a21\u5f0f\u986f\u793a\uff0c\u5f9e\u6700\u521d\u7684\u6e2c\u8a66\u8acb\u6c42\u5230\u5f8c\u7e8c\u7684\u4e09\u7d44\u6f0f\u6d1e\u5229\u7528\u8acb\u6c42\uff0c\u5176\u653b\u64ca\u76ee\u6a19\u7684\u9806\u5e8f\u7686\u76f8\u540c\uff0c\u4e14\u5404\u500b\u4e8b\u4ef6\u4e4b\u9593\u7684\u6642\u9593\u9593\u9694\u4e5f\u76f8\u4f3c\u3002<\/p>\n<h3><strong>\u6b78\u56e0\u5206\u6790<\/strong><\/h3>\n<p>\u5728\u5229\u7528 CVE-2025-53770 \u7684\u6d3b\u52d5\u4e2d\u89c0\u5bdf\u5230\u7684 CL-CRI-1040 IP \u4f4d\u5740 <span style=\"font-family: 'courier new', courier, monospace;\">104.238.159[.]149<\/span>\uff0c\u540c\u6642\u4e5f\u88ab<strong>\u5fae\u8edf\u6b78\u56e0\u65bc\u5176\u540d\u70ba <\/strong>Storm-2603 <strong>\u7684\u7fa4\u9ad4<\/strong>\u3002\u5fae\u8edf\u9084\u63d0\u5230\uff0cStorm-2603 \u6295\u653e\u4e86\u4e00\u500b\u540d\u70ba <span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span> \u7684 Web Shell\uff0c\u5176 SHA256 \u96dc\u6e4a\u503c\u70ba <span style=\"font-family: 'courier new', courier, monospace;\">92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514<\/span>\uff0c\u9019\u8207\u6211\u5011\u89c0\u5bdf\u5230\u7684 104.238.159[.]149 \u76f8\u95dc\u6d3b\u52d5<strong>\u5b8c\u5168\u543b\u5408<\/strong>\u3002<\/p>\n<p>\u6211\u5011\u62b1\u6301<strong>\u4e2d\u5ea6\u4fe1\u5fc3<\/strong>\u8a55\u4f30 CL-CRI-1040 \u8207 Storm-2603 \u6709\u6240\u91cd\u758a\uff0c\u4e26\u5c07\u7e7c\u7e8c\u5206\u6790\u8207 CL-CRI-1040 \u76f8\u95dc\u7684\u6d3b\u52d5\uff0c\u4ee5\u66f4\u6df1\u5165\u5730\u4e86\u89e3\u6b64\u53e2\u96c6\u3002<\/p>\n<p>Unit 42 \u4ee5\u53ca\u5305\u62ec Microsoft \u5728\u5167\u7684\u5176\u4ed6\u7d44\u7e54\u5df2\u89c0\u5bdf\u5230\u9019\u4e9b\u5f31\u9ede\u88ab\u5ee3\u6cdb\u5730\u5229\u7528\u3002<\/p>\n<p>\u6211\u5011\u7684\u9059\u6e2c\u6578\u64da\u986f\u793a\uff0cSharePoint ToolShell \u653b\u64ca\u6d3b\u52d5\u6709\u8457\u6e05\u6670\u7684\u6f14\u8b8a\uff0c\u4e26\u5206\u70ba\u5169\u500b\u4e0d\u540c\u7684\u968e\u6bb5\uff1a<\/p>\n<ul>\n<li>\u6982\u5ff5\u9a57\u8b49\u524d (pre-PoC) \u968e\u6bb5<\/li>\n<li>\u5ee3\u6cdb\u7684\u6982\u5ff5\u9a57\u8b49\u5f8c (post-PoC) \u968e\u6bb5<\/li>\n<\/ul>\n<p>\u6211\u5011\u6839\u64da\u7aef\u9ede\u9059\u6e2c\u6578\u64da\u7e6a\u88fd\u4e86\u6d3b\u52d5\u91cf\u5716\uff08\u5982\u5716 1 \u6240\u793a\uff09\uff0c\u5448\u73fe\u51fa\u96a8\u6642\u9593\u89c0\u5bdf\u5230\u7684\u6a21\u5f0f\u3002<\/p>\n<figure id=\"attachment_148485\" aria-describedby=\"caption-attachment-148485\" style=\"width: 1475px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148485 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-774537-148484-1.png\" alt=\"\u6a19\u984c\u70ba\u300c\u6d3b\u52d5\u91cf\u96a8\u6642\u9593\u8b8a\u5316\u300d\u7684\u67f1\u72c0\u5716\uff0c\u986f\u793a\u4e0d\u540c\u65e5\u671f\u7684\u6d3b\u52d5\u91cf\u6ce2\u52d5\u3002Y \u8ef8\u986f\u793a\u6d3b\u52d5\u91cf\uff0cX \u8ef8\u986f\u793a\u65e5\u671f\u7bc4\u570d\uff0c\u5f9e 2025 \u5e74 7 \u6708 17 \u65e5\u5230 2025 \u5e74 7 \u6708 24 \u65e5\u3002\" width=\"1475\" height=\"783\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-774537-148484-1.png 1475w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-774537-148484-1-786x417.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-774537-148484-1-1319x700.png 1319w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-774537-148484-1-768x408.png 768w\" sizes=\"(max-width: 1475px) 100vw, 1475px\" \/><figcaption id=\"caption-attachment-148485\" class=\"wp-caption-text\">\u5716 2. \u57fa\u65bc\u7aef\u9ede\u9059\u6e2c\u7684\u6d3b\u52d5\u91cf\u96a8\u6642\u9593\u8b8a\u5316\u3002<\/figcaption><\/figure>\n<h3>\u6d3b\u52d5\u6642\u9593\u8ef8<\/h3>\n<ul>\n<li>2025 \u5e74 5 \u6708 17 \u65e5\uff1a<a href=\"https:\/\/cybersecuritynews.com\/pwn2own-0-day-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">\u7db2\u8def\u5b89\u5168\u65b0\u805e<\/a>\u5831\u5c0e\uff0c\u5728 Pwn2Own Berlin \u4e0a\uff0cViettel Cyber Security \u7684 Dinh Ho Anh Khoa (@_l0gg) \u5c07 SharePoint \u4e2d\u7684\u5169\u500b\u5f31\u9ede\u4e32\u9023\u8d77\u4f86\uff0c\u4ee5\u53d6\u5f97\u672a\u7d93\u6388\u6b0a\u7684\u5b58\u53d6\u6b0a\u3002\u9019\u4e9b\u5c07\u6210\u70ba CVE-2025-49704 \u548c CVE-2025-49706\u3002@l0gg \u5f8c\u4f86\u5c07\u9019\u500b\u653b\u64ca\u93c8\u547d\u540d\u70ba \u300cToolShell\u300d\u3002<\/li>\n<li>2025 \u5e74 7 \u6708 8 \u65e5\uff1aMicrosoft \u767c\u4f48\u4e86 CVE-2025-49704 \u548c CVE-2025-49706\u3002\u5728\u767c\u5e03\u6642\uff0c\u5fae\u8edf\u8868\u793a\u5c1a\u672a\u89c0\u5bdf\u5230\u76f8\u95dc\u7684\u5229\u7528\u6d3b\u52d5\u3002<\/li>\n<li>2025 \u5e74 7 \u6708 14 \u65e5\uff1a\u5728 CVE \u7d00\u9304\u767c\u5e03\u5f8c\u4e0d\u5230\u4e00\u9031\uff0c<a href=\"https:\/\/www.google.com\/search?q=https:\/\/www.code-white.com\/blog\/reproducing-the-sharepoint-rce\/\" target=\"_blank\" rel=\"noopener\">Code White GmbH \u7684\u653b\u64ca\u6027\u5b89\u5168\u5718\u968a\u5c55\u793a<\/a>\u4e86\u4ed6\u5011\u53ef\u4ee5\u91cd\u73fe\u4e00\u500b\u8207\u9019\u4e9b SharePoint \u6f0f\u6d1e\u76f8\u95dc\u7684\u3001\u7121\u9700\u8eab\u4efd\u9a57\u8b49\u7684\u6f0f\u6d1e\u5229\u7528\u93c8\u3002<\/li>\n<li>2025 \u5e74 7 \u6708 19 \u65e5\uff1a\u5fae\u8edf\u767c\u5e03\u4e86\u95dc\u65bc CVE-2025-53770 \u548c CVE-2025-53771 \u7684\u8cc7\u8a0a\u3002\u5728\u767c\u5e03\u6642\uff0c\u5229\u7528\u6d3b\u52d5\u5df2\u7d93\u88ab\u89c0\u6e2c\u5230\uff0c\u4e14\u5fae\u8edf\u6307\u51fa CVE-2025-53770 \u662f CVE-2025-49706 \u7684\u4e00\u500b\u8b8a\u9ad4\u3002<\/li>\n<li>\u622a\u81f3 2025 \u5e74 7 \u6708 21 \u65e5\uff0c\u5df2\u6709\u591a\u500b\u6982\u5ff5\u9a57\u8b49\u5f35\u8cbc\u5728 GitHub \u4e0a\u3002<\/li>\n<\/ul>\n<p>\u65e9\u5728 7 \u6708 17 \u65e5\uff0cUnit 42 \u7ba1\u7406\u5a01\u8105\u641c\u88dc\u5c0f\u7d44\u5c31\u8b58\u5225\u51fa\u4e09\u7a2e\u4e0d\u540c\u7684\u5229\u7528\u6d3b\u52d5\u8b8a\u7a2e\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.u1ah0tla02tw\"><\/a>\u8b8a\u7a2e 1<\/h3>\n<p>\u5728\u9019\u500b\u8b8a\u9ad4\u4e2d\uff0c\u6211\u5011\u89c0\u5bdf\u5230\u53eb\u7528 PowerShell \u547d\u4ee4\u7684\u547d\u4ee4 shell \u57f7\u884c\u3002\u5b83\u5617\u8a66\u904d\u6b77\u7aef\u9ede\u4e0a\u7684 web.config \u6a94\u6848\uff0c\u4e26\u5c07\u9019\u4e9b\u6a94\u6848\u7684\u5167\u5bb9\u5132\u5b58\u5230\u4e00\u500b\u540d\u70ba debug_dev.js \u7684\u6a94\u6848\u4e2d\u3002<\/p>\n<p>\u5716 3 \u986f\u793a\u89c0\u5bdf\u5230\u7684\u547d\u4ee4\u3002<\/p>\n<figure id=\"attachment_148496\" aria-describedby=\"caption-attachment-148496\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148496 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-777066-148484-2.png\" alt=\"\u5728\u6587\u5b57\u7de8\u8f2f\u5668\u4e2d\u986f\u793a\u7a0b\u5f0f\u78bc\u7684\u622a\u5716\uff0c\u6d89\u53ca\u8def\u5f91\u548c\u64f4\u5145\u6a94\u3002\" width=\"1000\" height=\"407\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-777066-148484-2.png 1464w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-777066-148484-2-786x320.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-777066-148484-2-768x313.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-148496\" class=\"wp-caption-text\">\u5716 3.\u5728\u4e3b\u52d5\u5229\u7528 SharePoint \u5f31\u9ede\u6642\u770b\u5230\u7684\u547d\u4ee4\u3002<\/figcaption><\/figure>\n<p>\u5716 3 \u6240\u793a\u7684\u547d\u4ee4\u6703\u57f7\u884c\u4e0b\u5217\u52d5\u4f5c\uff1a<\/p>\n<ul>\n<li>\u8a2d\u5b9a\u8981\u904d\u6b77<span style=\"font-family: 'courier new', courier, monospace;\"> web.config<\/span> \u6a94\u6848\u7684<strong>\u4f86\u6e90\u76ee\u9304<\/strong>\u3002<\/li>\n<li>\u5efa\u7acb\u4e00\u500b\u540d\u70ba <span style=\"font-family: 'courier new', courier, monospace;\">debug_dev.js<\/span> \u7684<strong>\u7a7a\u6a94\u6848<\/strong>\u3002<\/li>\n<li><strong>\u904d\u6b77<\/strong>\u4f86\u6e90\u76ee\u9304\u4ee5\u5c0b\u627e <span style=\"font-family: 'courier new', courier, monospace;\">web.config<\/span> \u6a94\u6848\u3002<\/li>\n<li>\u5982\u679c <span style=\"font-family: 'courier new', courier, monospace;\">web.config<\/span> \u6a94\u6848\u5b58\u5728\uff0c\u4fbf\u5c07\u5176\u8cc7\u6599<strong>\u9644\u52a0<\/strong>\u5230<span style=\"font-family: 'courier new', courier, monospace;\"> debug_dev.js<\/span> \u4e2d\u3002<\/li>\n<\/ul>\n<h3><a id=\"post-148484-_heading=h.otpk4knsaxjf\"><\/a>\u8b8a\u7a2e2<\/h3>\n<p>\u5728\u53e6\u4e00\u500b\u8b8a\u9ad4\u4e2d\uff0c\u6211\u5011\u89c0\u5bdf\u5230 IIS Process Worker (<span style=\"font-family: 'courier new', courier, monospace;\">w3wp.exe<\/span>) \u6703\u547c\u53eb\u547d\u4ee4 shell \u4f86\u57f7\u884c \u7d93\u904eBase64 \u7de8\u78bc\u7684 PowerShell \u547d\u4ee4\uff0c\u5982\u4e0b\u5716 4 \u6240\u793a\u3002<\/p>\n<figure id=\"attachment_148507\" aria-describedby=\"caption-attachment-148507\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148507 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-779322-148484-3.png\" alt=\"\u96fb\u8166\u7a0b\u5f0f\u78bc\u7684\u87a2\u5e55\u622a\u5716\uff0c\u5176\u7279\u8272\u70ba\u5305\u542b\u6a94\u6848\u8def\u5f91\u548c\u7cfb\u7d71\u6307\u4ee4\u7684\u7de8\u78bc\u548c\u89e3\u78bc Base64 \u5b57\u4e32\u884c\u3002\" width=\"1000\" height=\"568\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-779322-148484-3.png 1480w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-779322-148484-3-775x440.png 775w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-779322-148484-3-1233x700.png 1233w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-779322-148484-3-768x436.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-148507\" class=\"wp-caption-text\">\u5716 4.\u5728\u6b64\u8b8a\u9ad4\u4e2d\u770b\u5230\u7684 Base64 \u7de8\u78bc PowerShell \u547d\u4ee4\u3002<\/figcaption><\/figure>\n<p>\u5716 4 \u4e2d\u7684\u547d\u4ee4\u5728 <span style=\"font-family: 'courier new', courier, monospace;\">C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx<\/span> \u4e2d\u5efa\u7acb\u4e00\u500b\u6a94\u6848\uff0c\u7136\u5f8c\u5c07\u8b8a\u6578 <span style=\"font-family: 'courier new', courier, monospace;\">$base64string<\/span> \u4e2d\u5305\u542b\u7684 Base64 \u5b57\u4e32\u5167\u5bb9\u89e3\u78bc\u5230\u8a72\u6a94\u6848\u4e2d\u3002\u9019\u500b <span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span> \u6a94\u6848\u662f\u4e00\u500b Web Shell (\u7db2\u7ad9\u5f8c\u9580) \u7a0b\u5f0f\uff0c\u5b83\u53ef\u4ee5\u57f7\u884c\u591a\u7a2e\u529f\u80fd\u4f86\u64f7\u53d6\u4f3a\u670d\u5668\u7684 <span style=\"font-family: 'courier new', courier, monospace;\">ValidationKeys<\/span> (\u9a57\u8b49\u91d1\u9470)\u3001<span style=\"font-family: 'courier new', courier, monospace;\">DecryptionKeys<\/span> (\u89e3\u5bc6\u91d1\u9470) \u548c <span style=\"font-family: 'courier new', courier, monospace;\">CompatabilityMode<\/span> (\u76f8\u5bb9\u6027\u6a21\u5f0f)\uff0c\u9019\u4e9b\u90fd\u662f\u507d\u9020 ViewState \u52a0\u5bc6\u91d1\u9470\u6240\u9700\u7684\u8cc7\u8a0a\u3002<\/p>\n<p>\u5716 5 \u986f\u793a\u7531\u5716 4 \u7684\u547d\u4ee4\u6240\u5efa\u7acb\u7684<span style=\"font-family: 'courier new', courier, monospace;\"> spinstall0.aspx<\/span> \u6a94\u6848\u5167\u5bb9\u3002<\/p>\n<figure id=\"attachment_148518\" aria-describedby=\"caption-attachment-148518\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148518 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-781873-148484-4.png\" alt=\"\u986f\u793a\u7a0b\u5f0f\u78bc\u7684\u622a\u5716\uff0c\u5176\u7279\u8272\u5728\u65bc\u53c3\u8003\u547d\u540d\u7a7a\u9593\u7684\u8173\u672c\u3002\" width=\"1000\" height=\"527\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-781873-148484-4.png 1492w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-781873-148484-4-786x414.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-781873-148484-4-1329x700.png 1329w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-781873-148484-4-768x405.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-148518\" class=\"wp-caption-text\">\u5716 5.<span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span>\u7684\u5167\u5bb9\u3002<\/figcaption><\/figure>\n<h3><a id=\"post-148484-_heading=h.rndf65sd55h0\"><\/a>\u8b8a\u7a2e 3<\/h3>\n<p>\u6b64\u8b8a\u9ad4\u5e7e\u4e4e\u8207\u8b8a\u9ad4 2 \u76f8\u540c\uff0c\u4f46\u6709\u5c11\u8a31\u4e0d\u540c\uff1a<\/p>\n<ul>\n<li>\u5c07 <span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span> \u6a94\u6848\u5beb\u5165\u4ee5\u4e0b\u8def\u5f91\uff1a<span style=\"font-family: 'courier new', courier, monospace;\">C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS\\spinstall0.asp<\/span>x\n<ul>\n<li>\u5dee\u7570\u5728\u65bc\u76ee\u9304\u662f 15 \u800c\u4e0d\u662f 16\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u5c07\u8b8a\u6578\u91cd\u65b0\u547d\u540d\u70ba\u55ae\u4e00\u5b57\u5143<\/li>\n<li>\u5728\u6700\u5f8c\u547c\u53eb sleep \u51fd\u5f0f<\/li>\n<\/ul>\n<p>\u4e0b\u9762\u7684\u5716 6 \u986f\u793a\u4e86\u8a72\u8b8a\u9ad4\u7684\u7bc4\u4f8b\u3002<\/p>\n<figure id=\"attachment_148529\" aria-describedby=\"caption-attachment-148529\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-148529 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-784237-148484-5.png\" alt=\"\u986f\u793a\u7a0b\u5f0f\u78bc\u5340\u584a\u7684\u96fb\u8166\u87a2\u5e55\u622a\u5716\u3002\" width=\"1000\" height=\"592\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-784237-148484-5.png 1496w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-784237-148484-5-743x440.png 743w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-784237-148484-5-1182x700.png 1182w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/word-image-784237-148484-5-768x455.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-148529\" class=\"wp-caption-text\">\u5716 6.\u5165\u4fb5\u6d3b\u52d5\u7684\u8b8a\u9ad4 3\u3002<\/figcaption><\/figure>\n<h2><a id=\"post-148484-_heading=h.ilbx5wfh0dsi\"><\/a>\u81e8\u6642\u6307\u5357<\/h2>\n<p>Palo Alto Networks \u548c Unit 42 \u6b63\u8207 MSRC \u5bc6\u5207\u5408\u4f5c\uff0c\u4e26\u5efa\u8b70\u4e0b\u5217\u95dc\u9375\u6b65\u9a5f\uff1a<\/p>\n<ul>\n<li><strong>\u904f\u5236\u5a01\u8105<\/strong>\uff1a\u7acb\u5373\u5c07\u6613\u53d7\u653b\u64ca\u7684\u672c\u5730\u90e8\u7f72 (on-premises) SharePoint \u4f3a\u670d\u5668\u8207\u7db2\u969b\u7db2\u8def<strong>\u65b7\u958b\u9023\u7dda<\/strong>\uff0c\u76f4\u5230\u5b83\u5011\u80fd\u5920\u88ab\u5b8c\u5168\u4fdd\u8b77\u548c\u4fee\u5fa9\u70ba\u6b62\u3002<\/li>\n<li><strong>\u4fee\u88dc\u4e26\u5f37\u5316<\/strong>\uff1a\u7576 Microsoft \u63d0\u4f9b\u76f8\u95dc\u7684\u5b89\u5168\u4fee\u88dc\u7a0b\u5f0f\u6642\u7acb\u5373\u5957\u7528\u3002\u6700\u91cd\u8981\u7684\u662f\uff0c\u6240\u6709\u5bc6\u78bc\u8cc7\u6599\u90fd\u5fc5\u9808\u8f2a\u63db\uff0c\u76f8\u95dc\u6191\u8b49\u4e5f\u5fc5\u9808\u91cd\u8a2d\u3002<\/li>\n<li><strong>\u53c3\u8207\u5c08\u696d\u7684\u4e8b\u4ef6\u56de\u61c9<\/strong>\uff1a\u932f\u8aa4\u7684\u5b89\u5168\u611f\u53ef\u80fd\u6703\u9020\u6210\u9577\u6642\u9593\u7684\u66b4\u9732\u3002\u6211\u5011\u5f37\u70c8\u6566\u4fc3\u53d7\u5f71\u97ff\u7684\u7d44\u7e54\u8058\u8acb\u5c08\u696d\u7684\u4e8b\u4ef6\u61c9\u8b8a\u5718\u968a\uff0c\u4ee5\u9032\u884c\u5fb9\u5e95\u7684\u5165\u4fb5\u8a55\u4f30 (compromise assessment)\u3001\u641c\u5c0b\u5df2\u5efa\u7acb\u7684\u5f8c\u9580\uff0c\u4e26\u78ba\u4fdd\u5a01\u8105\u5df2\u5f9e\u74b0\u5883\u4e2d\u5b8c\u5168\u6839\u9664\u3002<\/li>\n<\/ul>\n<p>Palo Alto Networks \u4e5f\u5efa\u8b70\u9075\u5faa Microsoft \u7684\u4fee\u88dc\u7a0b\u5f0f\u6216\u6e1b\u7de9\u6307\u5f15\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49704\" target=\"_blank\" rel=\"noopener\">CVE-2025-49704<\/a><\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49706\" target=\"_blank\" rel=\"noopener\">CVE-2025-49706<\/a><\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a><\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53771\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a><\/li>\n<\/ul>\n<p>\u8acb\u53c3\u95b1 Microsoft \u5c0d\u65bc <a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770 \u548c CVE-2025-53771 \u7684\u984d\u5916\u6307\u5f15\u3002<\/a> Microsoft \u8868\u793a CVE-2025-53770 \u7684\u66f4\u65b0\u5305\u542b\u6bd4 CVE-2025-49704 \u66f4\u65b0\u66f4\u5f37\u5927\u7684\u4fdd\u8b77\u3002CVE-2025-53771 \u7684\u66f4\u65b0\u5305\u542b\u6bd4 CVE-2025-49706 \u66f4\u65b0\u66f4\u5f37\u56fa\u7684\u4fdd\u8b77\u3002<\/p>\n<p>2025 \u5e74 7 \u6708 25 \u65e5\u66f4\u65b0\uff1a<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">\u5fae\u8edf\u91dd\u5c0d\u6a5f\u5668\u91d1\u9470\u8f2a\u66ff\u5efa\u8b70\u5982\u4e0b<\/a>\u3002<\/p>\n<ul>\n<li>\u5957\u7528\u5fae\u8edf\u7684\u5b89\u5168\u6027\u66f4\u65b0<\/li>\n<li>\u518d\u6b21\u8f2a\u66ff ASP.NET \u6a5f\u5668\u91d1\u9470<\/li>\n<li>\u91cd\u65b0\u555f\u52d5 IIS \u7db2\u9801\u4f3a\u670d\u5668<\/li>\n<\/ul>\n<h2><a id=\"post-148484-_heading=h.xnzsuvd6pwaw\"><\/a>Unit 42 \u53d7\u7ba1\u7406\u5a01\u8105\u641c\u88dc\u67e5\u8a62<\/h2>\n<p>Unit 42 \u8a17\u7ba1\u5f0f\u5a01\u8105\u72e9\u7375\u5718\u968a (Managed Threat Hunting team) \u5229\u7528 Cortex XDR \u53ca\u4e0b\u65b9\u7684 XQL \u67e5\u8a62\uff0c\u6301\u7e8c\u5728\u6211\u5011\u7684\u5ba2\u6236\u4e2d\u8ffd\u8e64\u4efb\u4f55\u5229\u7528\u9019\u4e9b\u6f0f\u6d1e\u7684\u4f01\u5716\u3002Cortex XDR \u5ba2\u6236\u4e5f\u53ef\u4ee5\u4f7f\u7528\u9019\u4e9b XQL \u67e5\u8a62\u4f86\u641c\u5c0b\u5229\u7528\u8de1\u8c61\u3002<\/p>\n<pre class=\"lang:default decode:true\">\/\/ Note: This query will only work on agents 8.7 or higher\r\n\/\/ Description: This query leverages DotNet telemetry to identify references to ToolPane.exe, and extracts fields to provide additional context.\r\ndataset = xdr_data\r\n| fields _time, agent_hostname, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, dynamic_event_string_map, event_thread_context, event_type\r\n| filter event_type = ENUM.DOT_NET and actor_process_image_name = \"w3wp.exe\" and event_thread_context contains \"ToolPane.aspx\"\r\n\r\n\/\/ Extract the IIS application pool name from command line\r\n| alter IIS_appName = arrayindex(regextract(actor_process_command_line, \"\\-ap\\s+\\\"([^\\\"]+)\\\"\"), 0)\r\n\r\n\/\/ Extract fields from the dynamic_string_string_map:\r\n\/\/ EventSrcIP - Logged IP address by the IIS server\r\n\/\/ RequestURI - The requested URL by the threat actor\r\n\/\/ Payload - time he decoded .NET payload from exploitation\r\n\/\/ Headers - HTTP request headers\r\n| alter EventSrcIP = trim(json_extract(dynamic_event_string_map, \"$.27\"), \"\\\"\"),\r\n        RequestURI = trim(json_extract(dynamic_event_string_map, \"$.26\"), \"\\\"\"),\r\n        Payload = trim(json_extract(dynamic_event_string_map, \"$.30\"), \"\\\"\"),\r\n        Headers = trim(json_extract(dynamic_event_string_map, \"$.32\"), \"\\\"\")\r\n\r\n\/\/ Extract the X-Forwarded-For headers from the Headers field in an attempt to identify the source of exploitation\r\n| alter x_forwarded_for_header = regextract(lowercase(Headers), \"\\|(?:client-ip|x-forwarded-for)\\:((?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(?:\\.(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3})\\|\")\r\n\r\n| fields _time, agent_hostname, actor_effective_username, actor_process_image_path, actor_process_command_line, IIS_appName, dynamic_event_string_map, event_thread_context, EventSrcIP, x_forwarded_for_header, RequestURI, Payload, Headers\r\n<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Description: This query identifies specific files being written to the observed file paths during exploitation. This query may identify false-positive, legitimate files.\r\ndataset = xdr_data \r\n| fields _time, agent_hostname, causality_actor_process_image_name, causality_actor_process_command_line, actor_process_image_name, actor_process_command_line, action_file_name, action_file_path, action_file_extension, action_file_sha256, event_type, event_sub_type \r\n| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_WRITE, ENUM.FILE_CREATE_NEW) and lowercase(action_file_path) ~= \"web server extensions\\\\1[5-6]\\\\template\\\\layouts\" and lowercase(action_file_extension) in (\"asp\", \"aspx\", \"js\", \"txt\", \"css\")\r\n| filter lowercase(actor_process_image_name) in (\"powershell.exe\", \"cmd.exe\", \"w3wp.exe\")\r\n| comp values(action_file_name) as action_file_name, values(action_file_path) as action_file_path, values(actor_process_command_line) as actor_process_command_line by agent_hostname, actor_process_image_name addrawdata = true\r\n<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Description: This query identifies the IIS Process Worker, w3wp invoking a command shell which executes a base64 encodedPowerShell command. This is not specific to the CVE, and may catch potential other post-exploitation activity.\r\ndataset = xdr_data \r\n| fields _time, agent_hostname, causality_actor_process_image_name, actor_process_image_name, actor_process_command_line, action_process_image_name, action_process_image_command_line , event_type, event_sub_type \r\n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and lowercase(causality_actor_process_image_name) = \"w3wp.exe\" and lowercase(actor_process_image_name) = \"cmd.exe\" and lowercase(action_process_image_name) = \"powershell.exe\" and action_process_image_command_line  ~= \"(?:[A-Za-z0-9+\\\/]{4})*(?:[A-Za-z0-9+\\\/]{4}|[A-Za-z0-9+\\\/]{3}=|[A-Za-z0-9+\\\/]{2}={2})\"\r\n<\/pre>\n<h2><a id=\"post-148484-_heading=h.90fgstjnork5\"><\/a>\u7d50\u8ad6<\/h2>\n<p>\u57fa\u65bc\u5c0d\u91ce\u5916\u5229\u7528 (in-the-wild exploitation) \u7684\u89c0\u5bdf\u4ee5\u53ca\u6b64\u6f0f\u6d1e\u5229\u7528\u7684\u7c21\u6613\u6027\u8207\u6709\u6548\u6027\uff0c\uff0cPalo Alto Networks \u5f37\u70c8\u5efa\u8b70\u60a8\u9075\u5faa Microsoft \u7684\u6307\u5f15\u4f86\u4fdd\u8b77\u60a8\u7684\u7d44\u7e54\u3002Palo Alto Networks \u548c Unit 42 \u5c07\u7e7c\u7e8c\u76e3\u63a7\u60c5\u6cc1\uff0c\u63d0\u4f9b\u6700\u65b0\u8cc7\u8a0a\u3002<\/p>\n<p>Palo Alto Networks \u5df2\u5c07\u6211\u5011\u7684\u767c\u73fe\u8207 Cyber Threat Alliance (CTA) \u7684\u6210\u54e1\u5206\u4eab\u3002CTA \u6703\u54e1\u5229\u7528\u9019\u4e9b\u60c5\u5831\u5feb\u901f\u90e8\u7f72\u4fdd\u8b77\u63aa\u65bd\u7d66\u5ba2\u6236\uff0c\u4e26\u6709\u7cfb\u7d71\u5730\u74e6\u89e3\u60e1\u610f\u7684\u7db2\u8def\u884c\u70ba\u8005\u3002\u9032\u4e00\u6b65\u77ad\u89e3 <a href=\"https:\/\/www.cyberthreatalliance.org\/\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a>\u3002<\/p>\n<p>Palo Alto Networks \u5ba2\u6236\u53ef\u900f\u904e\u6211\u5011\u7684\u7522\u54c1\u7372\u5f97\u66f4\u597d\u7684\u4fdd\u8b77\uff0c\u5982\u4e0b\u6240\u5217\u3002\u7576\u6709\u66f4\u591a\u76f8\u95dc\u8cc7\u8a0a\u6642\uff0c\u6211\u5011\u6703\u66f4\u65b0\u6b64\u5a01\u8105\u7c21\u5831\u3002<\/p>\n<h2><a id=\"post-148484-_heading=h.w53e6nivlkj4\"><\/a>Palo Alto Networks \u7522\u54c1\u9632\u8b77\uff0c\u6709\u6548\u9632\u7bc4 Microsoft SharePoint \u5f31\u9ede<\/h2>\n<p>Palo Alto Networks \u5ba2\u6236\u53ef\u5229\u7528\u5404\u7a2e\u7522\u54c1\u9632\u8b77\u8207\u66f4\u65b0\uff0c\u4f86\u8b58\u5225\u4e26\u9632\u7bc4\u6b64\u5a01\u8105\u3002<\/p>\n<p>\u5982\u679c\u60a8\u8a8d\u70ba\u81ea\u5df1\u53ef\u80fd\u53d7\u5230\u5a01\u8105\u6216\u6709\u7dca\u6025\u4e8b\u9805\uff0c\u8acb\u806f\u7d61 <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">Unit 42 \u4e8b\u4ef6\u56de\u61c9\u5718\u968a<\/a>\u6216\u64a5\u6253\uff1a<\/p>\n<ul>\n<li>\u5317\u7f8e\u6d32\uff1a\u514d\u4ed8\u8cbb\u96fb\u8a71\uff1a+1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>\u82f1\u570b\uff1a+44.20.3743.3660<\/li>\n<li>\u6b50\u6d32\u548c\u4e2d\u6771\uff1a+31.20.299.3130<\/li>\n<li>\u4e9e\u6d32\uff1a+65.6983.8730<\/li>\n<li>\u65e5\u672c\uff1a+81.50.1790.0200<\/li>\n<li>\u6fb3\u6d32\uff1a+61.2.4062.7950<\/li>\n<li>\u5370\u5ea6\uff1a00080005045107<\/li>\n<\/ul>\n<h3><a id=\"post-148484-_heading=h.gb5371mvyznq\"><\/a>\u642d\u914d\u9032\u968e\u5a01\u8105\u9632\u8b77\u7684\u4e0b\u4e00\u4ee3\u9632\u706b\u7246<\/h3>\n<p>\u914d\u5099 <a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\">Advanced Threat Prevention<\/a> \u5b89\u5168\u8a02\u95b1\u670d\u52d9\u7684\u65b0\u4e16\u4ee3\u9632\u706b\u7246\uff0c\u53ef\u900f\u904e\u4ee5\u4e0b\u5a01\u8105\u9632\u79a6 (Threat Prevention) \u7279\u5fb5\u78bc\uff0c\u5354\u52a9\u5c01\u9396\u5c0d CVE-2025-49704\u3001CVE-2025-49706 \u548c CVE-2025-53771 \u7684\u60e1\u610f\u5229\u7528\uff1a<a href=\"https:\/\/threatvault.paloaltonetworks.com\/?query=96481\" target=\"_blank\" rel=\"noopener\">96481<\/a>\u3001<a href=\"https:\/\/threatvault.paloaltonetworks.com\/?query=96436\" target=\"_blank\" rel=\"noopener\">96436<\/a>\u3001<a href=\"https:\/\/threatvault.paloaltonetworks.com\/?query=96496\" target=\"_blank\" rel=\"noopener\">96496<\/a>\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.akl2rz9drfdj\"><\/a>\u4e0b\u4e00\u4ee3\u9632\u706b\u7246\u7684\u96f2\u7aef\u4ea4\u4ed8\u7684\u5b89\u5168\u6027\u670d\u52d9<\/h3>\n<p><a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> \u548c <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced DNS Security<\/a> \u53ef\u5c07\u8207\u6b64\u6d3b\u52d5\u76f8\u95dc\u7684\u5df2\u77e5 IP \u4f4d\u5740\u8b58\u5225\u70ba\u60e1\u610f\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.1vt1jc8jqg2p\"><\/a>Cortex<\/h3>\n<p>Cortex \u5df2\u767c\u5e03\u4e00\u500b\u6559\u6230\u624b\u518a (playbook)\uff0c\u4f5c\u70ba <a href=\"https:\/\/xsoar.pan.dev\/docs\/reference\/playbooks\/cve-2025-49704-and-cve-2025-49706-and-cve-2025-53770-and-cve-2025-53771---microsoft-share-point-tool-shell-vulnerability-chain\" target=\"_blank\" rel=\"noopener\">Cortex Response and Remediation Pack <\/a>\u7684\u4e00\u90e8\u5206\u3002<\/p>\n<p>\u8a72\u6559\u6230\u624b\u518a\u7531 SharePoint \u7684\u300cToolShell\u300d\u8b66\u5831\u6216\u624b\u52d5\u555f\u52d5\u89f8\u767c\uff0c\u9996\u5148\u6703\u900f\u904e\u4e00\u500b\u8f15\u91cf\u7d1a\u7684 XQL \u67e5\u8a62\u4f86\u5c0d\u6bcf\u500b SharePoint \u4e3b\u6a5f\u9032\u884c\u6307\u7d0b\u8b58\u5225\u3002\u7136\u5f8c\u5b83\u6703\u540c\u6b65\u7375\u6355\uff1a<\/p>\n<ul>\n<li>\u78c1\u789f\u4e0a\u65b0\u5beb\u5165\u7684\u7db2\u7ad9\u5f8c\u9580\u7a0b\u5f0f (web shells)<\/li>\n<li>\u91dd\u5c0d CVE \u60e1\u610f\u5229\u7528\u8207\u7db2\u7ad9\u5f8c\u9580\u7a0b\u5f0f\u5b58\u53d6\u7684\u6d41\u91cf\u65e5\u8a8c<\/li>\n<li>\u7528\u4ee5\u63d0\u53d6\u653b\u64ca\u8005 IP \u548c\u653b\u64ca\u916c\u8f09 (payloads) \u7684 .NET \u9059\u6e2c\u8cc7\u6599<\/li>\n<li>\u6574\u5408\u4e86 Unit 42 \u6307\u6a19\u8207\u672c\u6a5f\u63d0\u53d6\u8cc7\u6599\u7684\u5165\u4fb5\u6307\u6a19 (IoC)<\/li>\n<li>\u60e1\u610f\u5229\u7528\u524d\u8207\u5229\u7528\u5f8c\u7684\u884c\u70ba<\/li>\n<\/ul>\n<p>\u4efb\u4f55\u5df2\u78ba\u8a8d\u7684\u6307\u6a19\u90fd\u5c07\u88ab\u81ea\u52d5\u5c01\u9396\u3002<\/p>\n<p>\u57f7\u884c\u7d50\u675f\u6642\uff0c\u6703\u5448\u73fe\u6a5f\u5668\u91d1\u9470\u8f2a\u66ff (machine key rotation) \u5efa\u8b70\u30012025 \u5e74 7 \u6708\u7684\u4fee\u88dc\u7a0b\u5f0f\u9023\u7d50\uff0c\u4ee5\u53ca\u5a01\u8105\u7375\u6355\u7d50\u679c\u7684\u96c6\u4e2d\u6aa2\u8996\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.y98a14w8z2iz\"><\/a>Cortex Cloud<\/h3>\n<p><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-CLOUD\/Cortex-Cloud-Posture-Management-Release-Notes\/July-2025\" target=\"_blank\" rel=\"noopener\">Cortex Cloud<\/a> 1.2 \u7248\u53ef\u4ee5\u767c\u73fe\u8207 CVE-2025-49704 \u548c CVE-2025-49706 \u7684\u60e1\u610f\u5229\u7528\u93c8\u76f8\u95dc\u7684\u6f0f\u6d1e\uff0c\u4e26\u5c01\u9396\u5df2\u77e5\u7684\u60e1\u610f\u5229\u7528\u6d3b\u52d5\uff0c\u540c\u6642\u56de\u5831\u8207 CVE-2025-53770 \u548c CVE-2025-53771 \u7684\u5229\u7528\u93c8\u76f8\u95dc\u7684\u5df2\u77e5\u60e1\u610f\u5229\u7528\u6d3b\u52d5\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.7dmbsh2ruanp\"><\/a>Cortex XDR and XSIAM<\/h3>\n<p><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> \u5177\u6709 1870-19884 (\u6216 1880-19902) \u5167\u5bb9\u7248\u672c\u7684 8.7 \u7248\u4ee3\u7406\u7a0b\u5f0f\u5c07\u5c01\u9396\u8207 CVE-2025-49704 \u548c CVE-2025-49706 \u9023\u9396\u653b\u64ca\u76f8\u95dc\u7684\u5df2\u77e5\u653b\u64ca\u6d3b\u52d5\uff0c\u4e26\u56de\u5831\u8207 CVE-2025-53770 \u548c CVE-2025-53771 \u9023\u9396\u653b\u64ca\u76f8\u95dc\u7684\u5df2\u77e5\u653b\u64ca\u6d3b\u52d5\u3002<\/p>\n<h3><a id=\"post-148484-_heading=h.if3t4cykyc15\"><\/a>Cortex Xpanse<\/h3>\n<p><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XPANSE\" target=\"_blank\" rel=\"noopener\">Cortex Xpanse<\/a> \u80fd\u5920\u8b58\u5225\u516c\u7528\u7db2\u969b\u7db2\u8def\u4e0a\u66b4\u9732\u7684 SharePoint \u88dd\u7f6e\uff0c\u4e26\u5c07\u9019\u4e9b\u767c\u73fe\u4e0a\u5831\u7d66\u9632\u79a6\u4eba\u54e1\u3002\u5ba2\u6236\u53ef\u900f\u904e\u78ba\u4fdd SharePoint Server \u653b\u64ca\u9762\u898f\u5247\u5df2\u555f\u7528\uff0c\u4f86\u555f\u7528\u8b66\u793a\u66b4\u9732\u65bc\u7db2\u969b\u7db2\u8def\u7684 SharePoint\u3002\u5df2\u8b58\u5225\u7684\u767c\u73fe\u53ef\u4ee5\u5728<a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-XPANSE\/2\/Cortex-Xpanse-Expander-User-Guide\/Threat-Response-Center\" target=\"_blank\" rel=\"noopener\">\u5a01\u8105\u56de\u61c9\u4e2d\u5fc3<\/a>\u6216 Expander \u7684\u4e8b\u4ef6\u6aa2\u8996\u4e2d\u6aa2\u8996\u3002\u8cfc\u8cb7 ASM \u6a21\u7d44\u7684 Cortex XSIAM \u5ba2\u6236\u4e5f\u53ef\u7372\u5f97\u9019\u4e9b\u767c\u73fe\u3002<\/p>\n<h2><a id=\"post-148484-_heading=h.t96eb83pfg6g\"><\/a>\u59a5\u5354\u6307\u6a19<\/h2>\n<p>\u8868 2 \u986f\u793a Unit 42 \u53ca\u5176\u8aaa\u660e\u89c0\u5bdf\u5230\u7684 SharePoint \u5165\u4fb5\u6d3b\u52d5\u76f8\u95dc\u806f\u7684\u6307\u6a19\u6e05\u55ae\u3002<\/p>\n<table style=\"width: 100%; height: 914px;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"height: 24px; text-align: center; width: 69.7731%;\"><b>\u6307\u6a19<\/b><\/td>\n<td style=\"height: 24px; text-align: center; width: 29.5786%;\"><b>\u8aaa\u660e<\/b><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">107.191.58[.]76<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span>, \u4ea4\u4ed8 <span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">104.238.159[.]149<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span>, \u4ea4\u4ed8<span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">96.9.125[.]147<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span>, <span style=\"font-weight: 400;\">\u6a21\u7d44<\/span> <span style=\"font-family: 'courier new', courier, monospace;\">qlj22mpc<\/span> \u548c <span style=\"font-family: 'courier new', courier, monospace;\">bjcloiyq<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">139.144.199[.]41<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">89.46.223[.]88<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">45.77.155[.]170<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">154.223.19[.]106<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">185.197.248[.]131<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">149.40.50[.]15<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\"> 64.176.50[.]109<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\"> 149.28.124[.]70<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">206.166.251[.]228<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">95.179.158[.]42<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">86.48.9[.]38<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">128.199.240[.]182<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">212.125.27[.]102<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">91.132.95[.]60<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u5f31\u9ede\u4f86\u6e90<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"text-align: left; height: 48px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx<\/span><\/td>\n<td style=\"height: 48px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u57f7\u884c\u7de8\u78bc\u547d\u4ee4\u5f8c\u5efa\u7acb\u7684\u6a94\u6848<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"text-align: left; height: 48px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS\\spinstall0.aspx<\/span><\/td>\n<td style=\"height: 48px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">\u57f7\u884c\u7de8\u78bc\u547d\u4ee4\u5f8c\u5efa\u7acb\u7684\u6a94\u6848<\/span><\/td>\n<\/tr>\n<tr style=\"height: 50px;\">\n<td style=\"text-align: left; height: 50px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\debug_dev.js<\/span><\/td>\n<td style=\"height: 50px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">PowerShell \u547d\u4ee4\u57f7\u884c\u5f8c\u5efa\u7acb\u7684\u6a94\u6848<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"text-align: left; height: 48px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030<\/span><\/td>\n<td style=\"height: 48px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">.NET \u6a21\u7d44 <span style=\"font-family: 'courier new', courier, monospace;\">qlj22mpc <\/span>- \u89c0\u5bdf\u5230\u7684\u521d\u59cb\u96dc\u6e4a\u00a0<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-weight: 400;\">.NET \u6a21\u7d44 <\/span>bjcloiyq<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"text-align: left; height: 48px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7<\/span><\/td>\n<td style=\"height: 48px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">.NET \u6a21\u7d44 - \u4ee5 ViewState \u70ba\u76ee\u6a19<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">.NET \u6a21\u7d44<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">.NET \u6a21\u7d44<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95<\/span><\/td>\n<td style=\"height: 25px; text-align: left; width: 29.5786%;\"><span style=\"font-weight: 400;\">.NET \u6a21\u7d44<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; height: 25px; width: 69.7731%;\"><span style=\"font-family: 'courier new', courier, monospace;\">92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514<br \/>\n<\/span><\/td>\n<td style=\"text-align: left; height: 25px; width: 29.5786%;\"><span style=\"font-family: 'courier new', courier, monospace;\">spinstall0.aspx<\/span> webshell<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"text-align: left; width: 69.7731%; height: 24px;\"><span style=\"font-family: 'courier new', courier, monospace;\">33067028e35982c7b9fdcfe25eb4029463542451fdff454007832cf953feaf1e<\/span><\/td>\n<td style=\"text-align: left; width: 29.5786%; height: 24px;\"><span style=\"font-family: 'courier new', courier, monospace;\">4<\/span><span style=\"font-family: 'courier new', courier, monospace;\">L<\/span><span style=\"font-family: 'courier new', courier, monospace;\">4MD4R \u52d2\u7d22\u8edf\u9ad4\u6a23\u672c<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; width: 69.7731%; height: 25px;\"><span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-weight: 400;\">xxps[:]\/\/ice[.]theinnovationfactory[.]it\/static\/4l4md4r.exe<\/span><\/span><\/td>\n<td style=\"text-align: left; width: 29.5786%; height: 25px;\"><span style=\"font-family: 'courier new', courier, monospace;\">\u7528\u65bc\u4e0b\u8f09\u53ca\u57f7\u884c 4L4MD4R \u52d2\u7d22\u8edf\u9ad4\u7684 URL<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"text-align: left; width: 69.7731%; height: 25px;\"><span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-weight: 400;\">bpp.theinnovationfactory[.]it<\/span><\/span><\/td>\n<td style=\"text-align: left; width: 29.5786%; height: 25px;\"><span style=\"font-family: 'courier new', courier, monospace;\">4L4MD4R \u52d2\u7d22\u8edf\u9ad4\u7684 C2 \u4f3a\u670d\u5668<\/span><\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"text-align: left; width: 69.7731%; height: 24px;\"><span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-weight: 400;\">145.239.97[.]206<\/span><\/span><\/td>\n<td style=\"text-align: left; width: 29.5786%; height: 24px;\"><span style=\"font-family: 'courier new', courier, monospace;\">4L4MD4R \u52d2\u7d22\u8edf\u9ad4\u7684 C2 \u7db2\u57df<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u8868 2.Unit 42 \u89c0\u5bdf\u5230\u8207 SharePoint \u958b\u767c\u6d3b\u52d5\u76f8\u95dc\u7684\u6307\u6a19\u3002<\/p>\n<h2><a id=\"post-148484-_heading=h.fegvneo0u7z5\"><\/a>\u5176\u4ed6\u8cc7\u6e90<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">\u963b\u65b7\u5c0d\u672c\u5730\u90e8\u7f72 SharePoint \u6f0f\u6d1e\u7684\u6d3b\u8e8d\u5229\u7528<\/a> \u2013 Microsoft Security<\/li>\n<li><a href=\"https:\/\/www.brighttalk.com\/webcast\/10903\/649025?utm_source=PaloAltoNetworks&amp;utm_medium=brighttalk&amp;utm_campaign=649025\" target=\"_blank\" rel=\"noopener\">Unit 42 Threat Briefing<\/a> | \u9632\u79a6\u6d3b\u8e8d\u7684 Microsoft SharePoint \u6f0f\u6d1e\u653b\u64ca \u2013 Unit 42 Threat Briefing Webinar on BrightTALK<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u57f7\u884c\u6458\u8981 2025\u5e747\u670831\u65e5\u66f4\u65b0 \u5c0d ToolShell \u6f0f\u6d1e\u5229\u7528\u7684\u8abf\u67e5\u63ed\u9732\u4e86 4L4MD4R \u52d2\u7d22\u8edf\u9ad4\u7684\u90e8<\/p>\n","protected":false},"author":23,"featured_media":148230,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8768,8849],"tags":[9398,9399,9400,9401,9402,9404,9405,9403],"product_categories":[8958,8963,8974,8984,8953,9042,9045,9058,9078,9071,9157,9085,9153],"coauthors":[1025],"class_list":["post-148484","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-top-cyberthreats-zh-hant","category-vulnerabilities-zh-hant","tag-cl-cri-1040-zh-hant","tag-cve-2025-49704-zh-hant","tag-cve-2025-49706-zh-hant","tag-cve-2025-53770-zh-hant","tag-cve-2025-53771-zh-hant","tag-microsoft-zh-hant","tag-sharepoint-zh-hant","tag-zero-day-zh-hant","product_categories-advanced-dns-security-zh-hant","product_categories-advanced-threat-prevention-zh-hant","product_categories-advanced-url-filtering-zh-hant","product_categories-advanced-wildfire-zh-hant","product_categories-cloud-delivered-security-services-zh-hant","product_categories-cortex-zh-hant","product_categories-cortex-cloud-zh-hant","product_categories-cortex-xdr-zh-hant","product_categories-cortex-xpanse-zh-hant","product_categories-cortex-xsoar-zh-hant","product_categories-managed-threat-hunting-zh-hant","product_categories-next-generation-firewall-zh-hant","product_categories-unit-42-incident-response-zh-hant"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09 \u4e3b\u52d5\u5229\u7528 Microsoft SharePoint \u6f0f\u6d1e<\/title>\n<meta name=\"description\" content=\"Unit 42 \u5df2\u89c0\u5bdf\u5230\u6700\u8fd1 Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba\u3002\u4ee5\u4e0b\u662f\u5982\u4f55\u4fdd\u8b77\u60a8\u7684\u65b9\u6cd5\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09\" \/>\n<meta property=\"og:description\" content=\"Unit 42 \u5df2\u89c0\u5bdf\u5230\u6700\u8fd1 Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba\u3002\u4ee5\u4e0b\u662f\u5982\u4f55\u4fdd\u8b77\u60a8\u7684\u65b9\u6cd5\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-31T17:21:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-04T15:17:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/02_Vulnerabilities_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Unit 42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09 \u4e3b\u52d5\u5229\u7528 Microsoft SharePoint \u6f0f\u6d1e","description":"Unit 42 \u5df2\u89c0\u5bdf\u5230\u6700\u8fd1 Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba\u3002\u4ee5\u4e0b\u662f\u5982\u4f55\u4fdd\u8b77\u60a8\u7684\u65b9\u6cd5\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/","og_locale":"zh_TW","og_type":"article","og_title":"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09","og_description":"Unit 42 \u5df2\u89c0\u5bdf\u5230\u6700\u8fd1 Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba\u3002\u4ee5\u4e0b\u662f\u5982\u4f55\u4fdd\u8b77\u60a8\u7684\u65b9\u6cd5\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/","og_site_name":"Unit 42","article_published_time":"2025-07-31T17:21:43+00:00","article_modified_time":"2025-08-04T15:17:20+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/02_Vulnerabilities_1920x900.jpg","type":"image\/jpeg"}],"author":"Unit 42","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/"},"author":{"name":"Unit 42","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"headline":"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09","datePublished":"2025-07-31T17:21:43+00:00","dateModified":"2025-08-04T15:17:20+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/"},"wordCount":1060,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/02_Vulnerabilities_1920x900.jpg","keywords":["CL-CRI-1040","CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771","Microsoft","SharePoint","zero-day"],"articleSection":["\u5099\u53d7\u95dc\u6ce8\u7684\u5a01\u8105","\u5f31\u9ede"],"inLanguage":"zh-TW"},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/","url":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/","name":"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09 \u4e3b\u52d5\u5229\u7528 Microsoft SharePoint \u6f0f\u6d1e","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/02_Vulnerabilities_1920x900.jpg","datePublished":"2025-07-31T17:21:43+00:00","dateModified":"2025-08-04T15:17:20+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"description":"Unit 42 \u5df2\u89c0\u5bdf\u5230\u6700\u8fd1 Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba\u3002\u4ee5\u4e0b\u662f\u5982\u4f55\u4fdd\u8b77\u60a8\u7684\u65b9\u6cd5\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/02_Vulnerabilities_1920x900.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/07\/02_Vulnerabilities_1920x900.jpg","width":1920,"height":900},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"Microsoft SharePoint \u5f31\u9ede\u7684\u4e3b\u52d5\u5f0f\u653b\u64ca\u884c\u70ba \uff087\u670831\u65e5\u66f4\u65b0\uff09"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63","name":"Unit 42","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Unit 42"},"url":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/author\/unit42\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/posts\/148484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/comments?post=148484"}],"version-history":[{"count":5,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/posts\/148484\/revisions"}],"predecessor-version":[{"id":148716,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/posts\/148484\/revisions\/148716"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/media\/148230"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/media?parent=148484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/categories?post=148484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/tags?post=148484"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/product_categories?post=148484"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/zh-hant\/wp-json\/wp\/v2\/coauthors?post=148484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}