Why Network Fingerprinting is Your Strongest First Defense
A critical new remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server, identified as CVE-2025-53770, is being actively exploited, presenting a severe threat to organizations. This flaw allows an unauthenticated attacker to take complete control of a server over the network, making immediate and effective defense a top priority. The flaw was disclosed by Microsoft on the 19th July.
While applying vendor patches is a crucial security measure, the nature of zero-day exploits means that attackers often have a head start. This is where a modern, proactive security posture becomes essential.
This post will explore the technical nature of this threat and demonstrate how a proactive strategy centered on network fingerprinting provides a formidable shield against zero-day exploits, often neutralizing the threat before a formal patch is even deployed.
Understanding the Threat: CVE-2025-53770
The SharePoint vulnerability is particularly dangerous as it allows for the deserialization of untrusted data, leading to remote code execution without any need for attacker authentication. This makes any unpatched, internet-facing on-premises SharePoint server a potential target. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reinforced the severity of this threat by adding it to its Known Exploited Vulnerabilities Catalog.
Exploitation can lead to a complete compromise of the SharePoint server, allowing attackers to steal data, execute arbitrary code, and potentially move laterally across the internal network.
The Race Against Scanners
When a zero-day vulnerability like this is discovered, a global, automated race begins. Malicious actors immediately deploy scanners to canvas the internet for vulnerable systems.
Our own analysis shows that the majority of malicious requests targeting our clients came from the DigitalOcean and Scaleway ASNs, with Amazon Web Services (AWS) EC2 and Microsoft Azure also being a prominent source. These networks are well-known for being leveraged by malicious actors to quickly launch scanning and attack campaigns. Interestingly scans were happening on the 16th and 17th of July, BEFORE the vulnerability was disclosed by Microsoft.
This initial scanning phase, however, presents a golden opportunity for defense. Instead of waiting to analyze the specific attack payload, we can identify and block the very tools the attackers are using.
Exploits attempts in the wild. Note attempts days before disclosure.
Why IP Reputation Isn't Enough
For years, a primary method of defense has been IP reputation—blocking traffic from IP addresses known to be malicious. While simple and somewhat effective against basic attacks, this approach is increasingly unreliable in the face of modern threats.
The rise of sophisticated proxy services has fundamentally changed the game. Attackers now have easy access to vast networks of residential, mobile, and rotating datacenter proxies. These services allow them to distribute their attack traffic across thousands or even millions of seemingly legitimate IP addresses, making it impossible to maintain an effective blocklist. An IP that sends a malicious request one moment could be used by a legitimate customer the next.
Furthermore, attackers leveraging cloud infrastructure use ephemeral IPs that exist for only a short time, rendering IP-based blocking a constant and losing game of cat and mouse. This approach also carries a high risk of "collateral damage," where legitimate users are blocked simply because they share an IP address with a bad actor, a common scenario with Carrier-Grade NAT (CGNAT) or public Wi-Fi. Relying solely on where a request comes from is no longer a viable strategy.
Unmasking the Attacker's Tools with Network Fingerprinting
This is where the power of network fingerprinting comes in as a formidable zero-day defense. Fingerprinting in cybersecurity refers to methods used to identify the unique characteristics of devices, software, or users. It allows for the identification and categorization of operating systems and software based on their distinct signatures in network communications.
When attackers rush to exploit a new vulnerability, they don't use standard web browsers. They quickly code scanners using programming languages and libraries like Python, Go, or Java. These tools and libraries create network connections with distinct, non-browser-like fingerprints. By analyzing these, we can block the scanner before it ever delivers its malicious payload.
Peakhour utilizes several passive fingerprinting techniques to achieve this:
TCP Fingerprinting
This method identifies a device's operating system by analyzing how it implements the TCP protocol. By examining nuances in TCP packets—like window size, Time to Live (TTL), and how the device responds to non-standard packets—we can identify the underlying system that created the request.
TLS Fingerprinting
This powerful technique analyzes the "ClientHello" message sent by the client during the initial TLS handshake to establish a secure connection. The combination of TLS version, supported cipher suites, and extensions creates a unique fingerprint. This is a highly effective way of identifying the classes of connecting clients, such as those made by Go, Python, or Java libraries, which are commonly used for attack tooling. JA4 and JA3 are popular TLS fingerprint formats.
HTTP/2 Fingerprinting
This involves analyzing how clients use the HTTP/2 protocol, including their patterns in sending HTTP/2 frames and negotiating connections. This makes it easier to differentiate between legitimate browsers, bots, and the custom applications used in an attack campaign.
After identifying these fingerprints, Peakhour's bot management service uses machine learning to classify them as either a legitimate browser or a bot. This provides an incredibly strong layer of defense against zero-day exploits. The scanners are identified and blocked based on their fundamental network characteristics, irrespective of the specific vulnerability or payload they carry.
Defense in Depth
No single security measure is a silver bullet. While network fingerprinting provides a powerful first line of defense against automated scanners, a multi-layered, defense-in-depth strategy is paramount.
Any request that manages to bypass the initial fingerprinting checks must face the next layer: our standard Web Application Firewall (WAF) with post-body scanning. A WAF acts as a protective shield, inspecting every request before it reaches the application. By enabling the inspection of the full request body, the WAF can identify and block malicious payloads, such as the specific code used in an exploit attempt, that may be hidden within the data sent to the server. Our WAF was updated with a specific virtualpatch on the 22nd July at 5am AEST ensuring specific protection against this vulnerability
Staying Ahead in a Zero-Day World
The SharePoint CVE-2025-53770 vulnerability is a stark reminder that a reactive security posture is not enough. While patching is essential, the reality is that attackers move first.
By leveraging advanced, proactive techniques like network fingerprinting, organizations can identify and neutralize the automated tools attackers rely on during the critical opening hours of a zero-day exploit's life. This approach, when combined with the robust payload inspection of a WAF, provides a comprehensive and resilient security strategy to protect critical assets and stay one step ahead of adversaries.
