On July 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive requiring all federal agencies to immediately patch critical vulnerabilities in Microsoft SharePoint. The warning follows confirmed evidence that Chinese state-sponsored threat actors are actively exploiting these flaws in real-world attacks.
Actively Exploited Vulnerabilities
The following vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2025-49704 – Remote Code Execution (RCE)
- CVE-2025-49706 – Post-authentication RCE
These flaws are being exploited in a “spoofing + RCE chain.” This allows attackers to access on-premise SharePoint servers without authorization. Microsoft confirmed that Chinese APT groups — including Linen Typhoon and Violet Typhoon — began abusing these flaws in early July 2025.
“ToolShell” – A Complex Exploitation Chain
The exploited flaws are part of a broader vulnerability set collectively known as ToolShell, which includes:
- CVE-2025-49704 – SharePoint Remote Code Execution
- CVE-2025-49706 – SharePoint Post-auth Remote Code Execution
- CVE-2025-53770 – SharePoint ToolShell Authentication Bypass and Remote Code Execution
- CVE-2025-53771 – SharePoint ToolShell Path Traversal
Researchers found that CVE-2025-53770 can bypass authentication and execute code by itself. In most cases, it doesn’t require CVE-2025-53771. This suggests that CVE-2025-53770 and CVE-2025-53771 may be patch bypasses for the earlier vulnerabilities.
According to Akamai’s Security Intelligence Group, the root cause lies in the combination of an authentication bypass (CVE-2025-49706) and an insecure deserialization flaw (CVE-2025-49704) — together enabling remote execution of arbitrary code.
AMSI Is Not Enough
Microsoft suggests enabling AMSI to detect malware, but WatchTowr Labs found that CVE-2025-53770 can bypass this layer of defense.
“AMSI was never a silver bullet, and organizations that rely on it instead of patching are taking a significant risk.”
— Benjamin Harris, CEO, WatchTowr Labs
He emphasized that nation-state attackers are more than capable of bypassing basic security tools, and relying solely on AMSI could give organizations a false sense of protection while they remain vulnerable.
Recommendations for Organizations
To mitigate the risks associated with these vulnerabilities, organizations should take the following immediate actions:
- Apply the latest Microsoft SharePoint patches — especially those addressing ToolShell vulnerabilities.
- Do not rely on AMSI alone — It’s a detection mechanism, not a patch or a fix.
- Monitor CISA’s KEV Catalog regularly to stay informed on actively exploited vulnerabilities.
- Audit your on-premise SharePoint servers for unauthorized access or suspicious activity.
These SharePoint flaws are now used by advanced, state-backed attackers. This is a clear signal: timely patching and active monitoring are essential. Organizations must act swiftly to reduce their exposure to exploitation.
Source: The Hacker News