CISA has issued an urgent alert regarding active exploitation of critical Microsoft SharePoint vulnerabilities by suspected Chinese threat actors. 

The attack campaign, dubbed “ToolShell,” leverages a vulnerability chain involving CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution) to gain unauthorized access to on-premises SharePoint servers.

The sophisticated attack enables malicious actors to achieve both unauthenticated system access and authenticated access through network spoofing techniques. 

Key Takeaways1. Chinese hackers exploiting SharePoint CVE-2025-49706 and CVE-2025-49704 for full system access.2. Emergency patches released July 22, and two patch bypass vulnerabilities identified.3. Apply patches immediately, configure AMSI, and disconnect end-of-life SharePoint systems.

Once compromised, attackers can fully access SharePoint content, including file systems and internal configurations, while executing arbitrary code across the network infrastructure. 

Security researchers from Eye Security and Palo Alto Networks Unit42 have provided detailed analysis of the exploitation methods being employed.

Emergency Security Updates Released 

Microsoft responded swiftly to the active exploitation by releasing comprehensive security guidance and patches on July 22, 2025. 

The company has also identified two additional patch bypass vulnerabilities: CVE-2025-53771 and CVE-2025-53770, which could potentially circumvent the initial fixes for the primary vulnerabilities.

Organizations are strongly advised to implement Microsoft’s security updates immediately and configure the Antimalware Scan Interface (AMSI) within SharePoint environments. 

Critical mitigation steps include rotating ASP.NET machine keys both before and after applying patches, then restarting IIS web servers to ensure complete protection.

CVETitleCVSS 3.1 ScoreSeverityCVE-2025-49706Network Spoofing Vulnerability6.5MediumCVE-2025-49704Remote Code Execution (RCE) Vulnerability8.8High

 CISA’s Recommendations

CISA has provided specific indicators of compromise for organizations to monitor. Security teams should watch for suspicious POST requests to the endpoint /_layouts/15/ToolPane.aspx?DisplayMode=Edit, which has been identified as a primary attack vector. 

Additionally, organizations must scan for connections from three specific IP addresses: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly focusing on activity between July 18-19, 2025.

The agency recommends implementing comprehensive logging capabilities and updating intrusion prevention systems (IPS) and web application firewall (WAF) rules to detect and block exploit patterns. 

Organizations operating end-of-life SharePoint versions, such as SharePoint Server 2013, should immediately disconnect these systems from internet-facing networks.

All three primary vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing the critical nature of this threat. 

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now