Right Click Tools
Automate SharePoint CVE Detection and Remediation with Right Click Tools Builder
Topics: Right Click Tools, Security and Compliance
A new wave of attacks against on‑premises SharePoint servers is snowballing, with two critical CVEs—CVE‑2025‑53770 (CVSS 9.8) and CVE‑2025‑47981—already under active exploit worldwide. Security researchers report that espionage‑focused intrusions have escalated into full‑blown ransomware campaigns, and U.S. federal agencies have been hit alongside private‑sector firms.
To help IT teams act immediately, our engineers have released two free Right Click Tools Builder automation templates (CVE‑2025‑53770 and CVE‑2025‑47981) that scan, sort, and when possible remediate vulnerable systems—no guesswork, no hunting scripts.
SharePoint Servers Face Open Season
Microsoft and CISA both warn that CVE‑2025‑53770 lets unauthenticated attackers run code on any publicly exposed SharePoint Server. Exploits started on July 7 and have already compromised at least 75 servers, including U.S. government assets. Because the first July patch proved incomplete, attackers from multiple China‑linked groups have pivoted to ransomware to monetize access. Cloud‑hosted SharePoint Online is unaffected, but any on‑prem version left unpatched is fair game.
Windows Endpoints Widen the Blast Radius
The parallel flaw, CVE‑2025‑47981, is a wormable buffer‑overflow in the Windows SPNEGO negotiation mechanism. If SharePoint is the entry point, unpatched workstations and servers become the fast lane for lateral movement. Multiple analysts rate urgent patching—or compensating controls—“non‑negotiable.”
Automation that Closes the SharePoint CVE Gap
Right Click Tools Builder now ships two templates in our public Automation Repo:
| Template | Purpose | Outcome |
| CVE‑2025‑47981 Finder | Evaluates Windows devices for the SPNEGO flaw | Drops all flagged endpoints into a ConfigMgr collection for rapid patching |
| CVE‑2025‑53770 Remediator | Checks SharePoint Servers, applies July and hot‑fix patches when available, rotates MachineKey, and enforces Microsoft’s hardening guidance | Confirms success and logs results to a dashboard |
Built by Scott Erickson, scoped by Chris Muster, reviewed by Branden Hammann—live for you today.
Automation Template Benefits
- Minutes, not hours: Import the XML, select a target, and click Run—Builder handles inventory, validation, and remediation.
- One pane of glass: Results feed straight into your existing Right Click Tools dashboards, so ConfigMgr and Intune admins see the same truth.
- Risk knocked down, ROI up: A single run can replace dozens of manual queries and remote‑PowerShell checks, freeing staff for higher‑value tasks.
Quick Start
- Clone or download the templates from our GitHub repo.
- In Right Click Tools Builder, choose Import Template and browse to the JSON.
- Pick a test collection (we suggest a small pilot first).
- Review the pre‑run checklist—Builder surfaces required credentials and firewall rules automatically.
- Hit Run. Dashboards update in real time; optional email and Teams alerts are built‑in.
Tip: Use Intune’s “Assignments” to roll the CVE‑2025‑47981 patch to any hybrid‑joined device surfaced by the finder template—no extra packaging work required.
Beyond the Emergency
While this release tackles an immediate threat, the same framework can automate patch verification, baseline drift checks, or even license cleanup. Expect more templates to land in the repo weekly as the community contributes.
Stay in the Loop
- Follow our #sharepoint‑vulns thread on Discord for template tweaks and field notes.
- Watch the repo to get notified on future CVE packs.
- Need help? Open a GitHub issue or ping us on Reddit—engineers monitor both.
References
- Reuters: ransomware gangs piggyback SharePoint intrusions Reuters
- BleepingComputer: zero‑day attacks since July 18 BleepingComputer
- Microsoft MSRC: official guidance for CVE‑2025‑53770 Microsoft Security Response Center
- CISA alert on exploitation CISA
- WindowsCentral: “ToolShell” campaign timeline Windows Central
- CSO Online: incomplete July patch spurs exploits CSO Online
- WindowsForum: mitigation steps for unpatched endpoints Windows Forum
- Microsoft threat intel blog on Linen/Violet Typhoon Microsoft
