Critical Microsoft SharePoint Vulnerabilities Identified: What You Need to Know
On July 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant Microsoft SharePoint vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency for organizations to address these security risks. The specific vulnerabilities, designated CVE-2025-49704 and CVE-2025-49706, have shown signs of active exploitation, prompting immediate attention.
Overview of the Vulnerabilities
CISA has reported that federal agencies within the Civilian Executive Branch (FCEB) must remediate these vulnerabilities by July 23, 2025. The agency noted that the vulnerabilities allow unauthorized access to on-premise SharePoint servers through a combination of a spoofing attack and a remote code execution (RCE) vulnerability chain.
Details on the Vulnerability Types
- CVE-2025-49704: This is categorized as SharePoint Remote Code Execution.
- CVE-2025-49706: Identified as SharePoint Post-auth Remote Code Execution.
These vulnerabilities are part of a larger vulnerability cluster known as "ToolShell." Recent reports indicate that sophisticated hacking groups, including those associated with nation-state actors like Linen Typhoon and Violet Typhoon, have exploited these flaws since July 7, 2025.
Latest Insights from Microsoft
At the time of this report, Microsoft maintained that only CVE-2025-53770 was known to be actively exploited in the wild. The initial advisories provided a comprehensive breakdown of four SharePoint vulnerabilities:
- CVE-2025-49704: Remote Code Execution
- CVE-2025-49706: Post-auth Remote Code Execution
- CVE-2025-53770: ToolShell Authentication Bypass and Remote Code Execution
- CVE-2025-53771: ToolShell Path Traversal
Interestingly, the connection between CVE-2025-53770 and the other vulnerabilities suggests that exploiting this bug does not require CVE-2025-53771, which could provide an efficient attack vector for malicious entities.
Understanding the Root Cause
According to insights from the Akamai Security Intelligence Group, CVE-2025-53770 results from a combination of two vulnerabilities: an authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704). Addressing this chain of vulnerabilities is essential for securing affected systems.
Microsoft’s Position on Vulnerabilities
When contacted about the ongoing status of CVE-2025-53771 and other related issues, a Microsoft spokesperson reiterated that the advisories are reliable as of their original publication dates. They also highlighted their collaboration with CISA in maintaining the KEV catalog, which aims to inform organizations about exploited vulnerabilities in real-time.
Security Mitigations and Agency Warnings
Recent discussions reveal that watchTowr Labs has developed a method to exploit CVE-2025-53770 while circumventing Microsoft’s Antimalware Scan Interface (AMSI), which is designed to mitigate unauthorized attacks. CEO Benjamin Harris emphasized the importance of patching these vulnerabilities rather than relying solely on mitigations like AMSI. “Enabling AMSI without patching can lead to false confidence,” he warned, urging organizations to take proactive steps to secure their systems against potential exploitation.
Given that these vulnerabilities have been linked to state-sponsored attackers, it is critical for organizations to act swiftly. Relying on partial mitigations could create a false sense of security, exposing them to further risks.
Final Thoughts
The identification of these vulnerabilities serves as a stark reminder of the evolving threat landscape in cybersecurity. For organizations utilizing Microsoft SharePoint, prioritizing these patches and staying informed about the latest developments is essential. As the situation continues to evolve, the focus should remain on ensuring thorough security practices to protect sensitive data and systems.
