{"id":1047,"date":"2025-07-26T03:13:02","date_gmt":"2025-07-26T03:13:02","guid":{"rendered":"https:\/\/technov8s.com\/sharepoint-toolshell-zero-day-exploit-what-you-need-to-know-2025-emergency-fix-offer\/"},"modified":"2025-07-26T23:35:50","modified_gmt":"2025-07-26T23:35:50","slug":"vulnerabilite-critique-de-sharepoint-attaques-actives-detectees-comment-proteger-votre-entreprise","status":"publish","type":"post","link":"https:\/\/technov8s.com\/fr\/vulnerabilite-critique-de-sharepoint-attaques-actives-detectees-comment-proteger-votre-entreprise\/","title":{"rendered":"Vuln\u00e9rabilit\u00e9 critique de SharePoint : attaques actives d\u00e9tect\u00e9es \u2013 comment prot\u00e9ger votre entreprise"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">\ud83d\udee1\ufe0f Qu\u2019est-ce que ToolShell ?<\/h3>\n\n\n\n<p>En juillet 2025, <strong>Microsoft<\/strong> et la <strong>CISA<\/strong> (agence am\u00e9ricaine de cybers\u00e9curit\u00e9) ont confirm\u00e9 qu\u2019un groupe de pirates exploite activement une faille critique appel\u00e9e <strong>ToolShell<\/strong>. Cette faille touche uniquement les <strong>serveurs SharePoint install\u00e9s localement<\/strong> (et non SharePoint Online).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d D\u00e9tails des failles :<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>CVE<\/th><th>Type de faille<\/th><th>Risque<\/th><\/tr><\/thead><tbody><tr><td>CVE-2025-49704<\/td><td>Ex\u00e9cution de code \u00e0 distance<\/td><td>Permet d\u2019ex\u00e9cuter du code sans acc\u00e8s<\/td><\/tr><tr><td>CVE-2025-49706<\/td><td>Usurpation d\u2019identit\u00e9 r\u00e9seau<\/td><td>Permet de contourner les s\u00e9curit\u00e9s<\/td><\/tr><tr><td>CVE-2025-53770<\/td><td>Contournement du correctif pr\u00e9c\u00e9dent<\/td><td>R\u00e9active la faille initiale<\/td><\/tr><tr><td>CVE-2025-53771<\/td><td>Contournement du correctif pr\u00e9c\u00e9dent<\/td><td>Affaiblit les protections r\u00e9seau<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udccc Syst\u00e8mes concern\u00e9s :<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SharePoint Server 2016<\/li>\n\n\n\n<li>SharePoint Server 2019<\/li>\n\n\n\n<li>SharePoint Server Subscription Edition<\/li>\n\n\n\n<li>SharePoint 2013 ou version plus ancienne (<strong>non support\u00e9e \u2014 \u00e0 d\u00e9connecter imm\u00e9diatement<\/strong>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u26a0\ufe0f Pourquoi c\u2019est important<\/h3>\n\n\n\n<p>Cette attaque permet aux pirates de :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contr\u00f4ler votre serveur SharePoint \u00e0 distance<\/li>\n\n\n\n<li>Voler des fichiers ou des donn\u00e9es internes<\/li>\n\n\n\n<li>Installer des logiciels malveillants ou des ransomwares (comme <strong>Warlock<\/strong>)<\/li>\n\n\n\n<li>Se d\u00e9placer dans tout votre r\u00e9seau<\/li>\n\n\n\n<li>Chiffrer ou effacer vos fichiers<\/li>\n<\/ul>\n\n\n\n<p>Les attaques utilisent :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Des requ\u00eates vers <code>\/ToolPane.aspx?DisplayMode=Edit<\/code><\/li>\n\n\n\n<li>Des fausses demandes via <code>\/SignOut.aspx<\/code><\/li>\n\n\n\n<li>Des adresses IP connues (107.191.58.76, 104.238.159.149, etc.)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Ce que vous devez faire tout de suite<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Installer les mises \u00e0 jour de s\u00e9curit\u00e9 Microsoft<\/strong> (publi\u00e9es le 8 juillet 2025)<\/li>\n\n\n\n<li><strong>Changer les cl\u00e9s de s\u00e9curit\u00e9 ASP.NET<\/strong><\/li>\n\n\n\n<li><strong>Red\u00e9marrer IIS<\/strong> (utiliser la commande <code>iisreset<\/code>)<\/li>\n\n\n\n<li><strong>Activer la protection antivirus avec AMSI + Microsoft Defender<\/strong><\/li>\n\n\n\n<li><strong>V\u00e9rifier les journaux d\u2019acc\u00e8s (logs)<\/strong> pour d\u00e9tecter les signes d\u2019attaque<\/li>\n\n\n\n<li><strong>Chercher les fichiers suspects<\/strong> (.aspx, .dll ou .exe) dans SharePoint<\/li>\n\n\n\n<li><strong>Bloquer les adresses IP malveillantes dans votre pare-feu<\/strong><\/li>\n\n\n\n<li><strong>D\u00e9connecter les anciens serveurs non support\u00e9s (comme SharePoint 2013)<\/strong><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udd98 Soutien d\u2019urgence offert par Technov8<\/h3>\n\n\n\n<p>Pour aider les entreprises \u00e0 r\u00e9agir rapidement, <strong>Technov8 offre un service d\u2019urgence jusqu\u2019au dimanche 27 juillet 2025 \u00e0 23h59 (heure de l\u2019Est)<\/strong>.<\/p>\n\n\n\n<p>\u2705 Services disponibles :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Installation des correctifs<\/li>\n\n\n\n<li>Configuration de la s\u00e9curit\u00e9<\/li>\n\n\n\n<li>Red\u00e9marrage des services IIS<\/li>\n\n\n\n<li>V\u00e9rification rapide des signes d\u2019attaque<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udd10 <strong>Services avanc\u00e9s (en option)<\/strong> :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyse approfondie (forensique)<\/li>\n\n\n\n<li>Nettoyage de ransomware<\/li>\n\n\n\n<li>S\u00e9curisation renforc\u00e9e de SharePoint<\/li>\n\n\n\n<li>Migration vers SharePoint Online<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udcec Contactez-nous d\u00e8s maintenant<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud83d\udce7 Courriel : <strong><a>support@technov8s.com<\/a><\/strong><\/li>\n\n\n\n<li>\ud83d\udcde <em>Les appels d\u2019urgence en soir\u00e9e sont r\u00e9serv\u00e9s \u00e0 nos clients avec un abonnement premium actif.<\/em><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2753 Questions fr\u00e9quentes (FAQ)<\/h3>\n\n\n\n<p><strong>SharePoint Online est-il concern\u00e9 ?<\/strong><br>Non. Cette attaque vise uniquement les serveurs install\u00e9s localement.<\/p>\n\n\n\n<p><strong>J\u2019ai d\u00e9j\u00e0 fait les mises \u00e0 jour \u2014 suis-je prot\u00e9g\u00e9 ?<\/strong><br>Pas forc\u00e9ment. Des contournements de patch existent. Il faut v\u00e9rifier vos versions et changer les cl\u00e9s de s\u00e9curit\u00e9.<\/p>\n\n\n\n<p><strong>J\u2019utilise encore SharePoint 2013 \u2014 est-ce risqu\u00e9 ?<\/strong><br>Oui. Ce syst\u00e8me n\u2019est plus mis \u00e0 jour. Il faut le d\u00e9connecter d\u2019internet imm\u00e9diatement.<\/p>\n\n\n\n<p><strong>Que faire si je trouve des fichiers ou activit\u00e9s suspectes ?<\/strong><br>Contactez-nous d\u00e8s que possible. Chaque minute compte.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udcce Liens utiles<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a>Conseils Microsoft \u2013 CVE-2025-49704<\/a><\/li>\n\n\n\n<li><a class=\"\" href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/20\/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities\" target=\"_blank\" rel=\"noopener\">Alerte CISA \u2013 vuln\u00e9rabilit\u00e9s actives<\/a><\/li>\n\n\n\n<li><a class=\"\" href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/best-practices-event-logging-and-threat-detection\" target=\"_blank\" rel=\"noopener\">Bonnes pratiques de journalisation des \u00e9v\u00e9nements<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udee1\ufe0f Qu\u2019est-ce que ToolShell ? En juillet 2025, Microsoft et la CISA (agence am\u00e9ricaine de cybers\u00e9curit\u00e9) ont confirm\u00e9 qu\u2019un groupe de pirates exploite activement une faille critique appel\u00e9e ToolShell. Cette faille touche uniquement les serveurs SharePoint install\u00e9s localement (et non SharePoint Online). \ud83d\udd0d D\u00e9tails des failles : CVE Type de faille Risque CVE-2025-49704 Ex\u00e9cution de [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1073,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_oxygen_hide_in_design_set":false,"_oxygen_tags":"","footnotes":""},"categories":[13],"tags":[],"class_list":["post-1047","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-fr"],"_links":{"self":[{"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/posts\/1047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/comments?post=1047"}],"version-history":[{"count":4,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/posts\/1047\/revisions"}],"predecessor-version":[{"id":1074,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/posts\/1047\/revisions\/1074"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/media\/1073"}],"wp:attachment":[{"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/media?parent=1047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/categories?post=1047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technov8s.com\/fr\/wp-json\/wp\/v2\/tags?post=1047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}