π July 23, 2025β|ββ± 6 min readβ|βπ Category: Cybersecurity
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently taken decisive action by adding two critical Microsoft SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog. This move, announced on July 22, 2025, is based on evidence of active exploitation by malicious actors, prompting an urgent call for remediation by Federal Civilian Executive Branch (FCEB) agencies by July 23, 2025.
CISA’s advisory highlights the active exploitation of a spoofing and remote code execution (RCE) vulnerability chain involving these two flaws, which have been collectively tracked as ToolShell. This vulnerability chain enables unauthorized access to on-premise SharePoint servers, posing a significant threat to organizations relying on this widely-used platform.
The inclusion of these vulnerabilities in the KEV catalog follows revelations from Microsoft that Chinese hacking groups, identified as Linen Typhoon and Violet Typhoon, have been leveraging these flaws to breach on-premises SharePoint servers since July 7, 2025. Despite Microsoft’s advisories listing only CVE-2025-53770 as being exploited in the wild, the broader implications of these vulnerabilities are now coming to light.
The four critical flaws identified are as follows:
CVE-2025-49704 β SharePoint Remote Code Execution
CVE-2025-49706 β SharePoint Post-auth Remote Code Execution
CVE-2025-53770 β SharePoint ToolShell Authentication Bypass and Remote Code Execution
CVE-2025-53771 β SharePoint ToolShell Path Traversal
The root cause of CVE-2025-53770, as explained by the Akamai Security Intelligence Group, is a combination of an authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704). These vulnerabilities have been exploited to deploy web shells, allowing threat actors to retrieve and steal sensitive MachineKey data. Symantec has also identified post-exploitation activities, including the execution of encoded PowerShell commands to download malicious files.
The urgency of the situation is underscored by the fact that these vulnerabilities have been linked to nation-state actors. WatchTowr Labs has internally devised a method to exploit CVE-2025-53770, bypassing Microsoft’s Antimalware Scan Interface (AMSI), a mitigation step intended to prevent unauthenticated attacks. WatchTowr CEO Benjamin Harris emphasized, “AMSI was never a silver bullet, and this outcome was inevitable. But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea.” He further noted, “Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI. Organizations must patch. Should go without saying β all the public PoCs will trigger AMSI, and mislead organizations into believing the mitigations are comprehensive/the host is no longer vulnerable. This would be incorrect.”
CISA, in collaboration with Microsoft and other partners, is actively working to address and mitigate the exploitation of these vulnerabilities. The agency is aware of the impact on federal agencies and State, Local, Tribal, and Territorial (SLTT) partners and is committed to assessing the scope and mitigating the associated risks.
As of the latest estimates, approximately 400 government agencies, corporations, and other entities have been compromised. This situation serves as a stark reminder of the ever-evolving threat landscape and the importance of proactive cybersecurity measures.
Organizations must prioritize patching these vulnerabilities to safeguard their systems and data. The exploitation of SharePoint zero-day vulnerabilities by sophisticated threat actors underscores the need for vigilance and timely action in the face of emerging cyber threats.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
