The attack campaign, dubbed “ToolShell,” leverages a vulnerability chain involving CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution) to gain unauthorized access to on-premises SharePoint servers.
The sophisticated attack enables malicious actors to achieve both unauthenticated system access and authenticated access through network spoofing techniques.
Key Takeaways
1. Chinese hackers exploiting SharePoint CVE-2025-49706 and CVE-2025-49704 for full system access.
2. Emergency patches released July 22, and two patch bypass vulnerabilities identified.
3. Apply patches immediately, configure AMSI, and disconnect end-of-life SharePoint systems.
Once compromised, attackers can fully access SharePoint content, including file systems and internal configurations, while executing arbitrary code across the network infrastructure.
Security researchers from Eye Security and Palo Alto Networks Unit42 have provided detailed analysis of the exploitation methods being employed.
Microsoft responded swiftly to the active exploitation by releasing comprehensive security guidance and patches on July 22, 2025.
The company has also identified two additional patch bypass vulnerabilities: CVE-2025-53771 and CVE-2025-53770, which could potentially circumvent the initial fixes for the primary vulnerabilities.
Organizations are strongly advised to implement Microsoft’s security updates immediately and configure the Antimalware Scan Interface (AMSI) within SharePoint environments.
Critical mitigation steps include rotating ASP.NET machine keys both before and after applying patches, then restarting IIS web servers to ensure complete protection.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-49706 | Network Spoofing Vulnerability | 6.5 | Medium |
| CVE-2025-49704 | Remote Code Execution (RCE) Vulnerability | 8.8 | High |
CISA has provided specific indicators of compromise for organizations to monitor. Security teams should watch for suspicious POST requests to the endpoint /_layouts/15/ToolPane.aspx?DisplayMode=Edit, which has been identified as a primary attack vector.
Additionally, organizations must scan for connections from three specific IP addresses: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly focusing on activity between July 18-19, 2025.
The agency recommends implementing comprehensive logging capabilities and updating intrusion prevention systems (IPS) and web application firewall (WAF) rules to detect and block exploit patterns.
Organizations operating end-of-life SharePoint versions, such as SharePoint Server 2013, should immediately disconnect these systems from internet-facing networks.
All three primary vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing the critical nature of this threat.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post CISA Warns of Chinese Hackers Exploiting SharePoint 0-Day Flaws in Active Exploitation appeared first on Cyber Security News.
A sign explaining restrictions on buying soda and sweetened drinks using Supplemental Nutrition Assistance Program…
The 98th Academy Awards, also known as The Oscars 2026, have finally arrived and are…
BIG COUNTRY, Texas (KTAB/KRBC) - A brand new Texas State Park is now open, and…
Aether OS puts a full-fledged desktop in your browser that ties directly into the AT…
A new weekend has arrived, and today, you can save big on Trails in the…
data-anim is a JavaScript animation library that applies CSS-powered animations to HTML elements while scrolling/hovering/clicking/loading…
This website uses cookies.