CISA Adds Actively Exploited Microsoft SharePoint Vulnerabilities to KEV Catalog Amid Nation-State Attacks

CISA Adds Actively Exploited Microsoft SharePoint Vulnerabilities to KEV Catalog Amid Nation-State Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Microsoft SharePoint vulnerabilities—CVE-2025-49704 and CVE-2025-49706—to its Known Exploited Vulnerabilities (KEV) catalog as of July 22, 2025, following confirmed evidence of active exploitation. In response, Federal Civilian Executive Branch (FCEB) agencies have been directed to address the vulnerabilities by July 23, 2025.

“CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers,” the agency said in a public advisory.

These flaws, part of a broader exploit chain referred to as ToolShell, are now linked to Chinese state-backed groups, including Linen Typhoon and Violet Typhoon, who have been exploiting the vulnerabilities since early July 2025, according to Microsoft. The two bugs include a remote code execution (RCE) issue and a post-authentication spoofing flaw, both of which can allow attackers to gain elevated access to SharePoint environments.

Microsoft has officially acknowledged CVE-2025-53770 as actively exploited in the wild and provided further descriptions of four related flaws:

CVE-2025-49704 – SharePoint Remote Code Execution

CVE-2025-49706 – SharePoint Post-auth Remote Code Execution

CVE-2025-53770 – ToolShell Authentication Bypass & RCE

CVE-2025-53771 – ToolShell Path Traversal

According to Akamai researchers, “The root cause [of CVE-2025-53770] is a combination of two bugs: An authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704).”

Threat actors have been seen deploying web shells, extracting MachineKey data, and executing encoded PowerShell commands to download malicious files such as “client.exe,” disguised as benign files like “debug.js.” Symantec reported that the binary is used to launch scripts that gather system and cryptographic information.

Security firm watchTowr revealed it can exploit CVE-2025-53770 to bypass Microsoft’s Antimalware Scan Interface (AMSI) mitigation. “AMSI was never a silver bullet… But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea,” warned CEO Benjamin Harris.

CISA’s Chris Butera confirmed the agency is collaborating with Microsoft and other partners. “CISA continues to work in lockstep with Microsoft, as well as federal and other partners, to address and mitigate the active exploitation of multiple vulnerabilities impacting Microsoft on-site SharePoint servers.”

Current estimates suggest around 400 organizations, including federal agencies and SLTT partners, have been compromised in this wave of exploitation.

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Share your details to download the Cybersecurity Report 2025

Share your details to download the CISO Handbook 2025

Sign Up for CXO Digital Pulse Newsletters

Share your details to download the Research Report

Share your details to download the Coffee Table Book

Share your details to download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024

Fill your details to Watch