The Cybersecurity and Infrastructure Security Agency (CISA) released an updated alert to reflect newly released information from Microsoft, and to correct the actively exploited Common Vulnerabilities and Exposures (CVEs), which have been confirmed as CVE-2025-49706 , a network spoofing vulnerability, and CVE-2025-49704, a remote code execution (RCE) vulnerability.
CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the chain, publicly reported as ToolShell, provides unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.
While not actively exploited, Microsoft has identified the following new CVEs that pose a potential risk:
- CVE-2025-53771 is a patch bypass for CVE-2025-49706
- CVE-2025-53770 is a patch bypass for CVE-2025-49704
What You Should Do
- Apply the necessary security updates released by Microsoft
- Configure Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploy Microsoft Defender AV on all SharePoint servers
- For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706
If you have questions or need assistance, contact a member of the Admiral team.
