Microsoft has confirmed that vulnerabilities in its on-premises SharePoint Server installations, a network spoofing vulnerability (CVE-202549706), and a remote code execution vulnerability (CVE-2025-49704) are being actively exploited despite releasing an emergency patch on July 20, 2025. The vulnerabilities allow threat actors to “execute code remotely, bypass identity protections such as multi-factor authentication and access system files before moving across the Windows domain.”
The exploitation is “on a massive and ongoing scale,” and since SharePoint is “often connected to core services such as Microsoft Outlook, Teams, and OneDrive, the attacks can lead directly to password harvesting and data theft.” Microsoft urges customers to apply the update as soon as possible. “Microsoft has now confirmed that following deployment of the emergency security update, ‘it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.’”
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert as well, stating that “CISA is aware of active exploitation of a spoofing and RCE vulnerability, enabling unauthorized access to on-premises SharePoint servers.” The vulnerabilities “publicly reported as ToolShell, provide unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
CISA recommends:
- Applying the necessary security updates released by Microsoft.
- Configuring Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploying Microsoft Defender AV on all SharePoint servers.
- Disconnecting affected products from service that are public facing on the internet until official mitigations are available, if AMSI cannot be enabled. Once mitigations are provided, apply them according to CISA and vendor instructions.
- Following the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- Reviewing information on detection, prevention, and advanced threat hunting measures, in Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
- Rotating ASP.NET machine keys, then after applying Microsoft’s security update, rotating ASP.NET machine keys again, and restarting the IIS web server.
- Disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.
- Monitoring for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Conducting scans for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
- Updating intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
- Implementing comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
- Auditing and minimizing layout and admin privileges.
Addressing these vulnerabilities immediately through guidance by Microsoft and CISA is urgent and critical if they affect your organization.
[View source.]
