Update (07/24/2025): CISA continues to update reporting on this ongoing activity, as threat actor tactics, techniques, and procedures (TTPs) continue to evolve. This update contains additional information on the deployment of ransomware, new webshells involved in exploitation, and enhanced detection guidance.
Update (07/22/2025): This Alert was updated to reflect newly released information from Microsoft, and to correct the actively exploited Common Vulnerabilities and Exposures (CVEs), which have been confirmed as CVE-2025-49706, a network spoofing vulnerability, and CVE-2025-49704, a remote code execution (RCE) vulnerability.
CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the chain, publicly reported as “ToolShell,” provides unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. Beyond the typical webshells, such as .aspx and .exe, .dll payloads have been observed during exploitation. Most recently, threat actors have also been observed encrypting files and distributing Warlock ransomware on compromised systems.
While not actively exploited, Microsoft has identified the following new CVEs that pose a potential risk:
CISA recommends the following actions to reduce the risks associated with the RCE compromise:
- Apply the necessary security updates released by Microsoft.
- Configure Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploy Microsoft Defender AV on all SharePoint servers.
- If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
- Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
- Beyond patching, it is critical for organizations to further investigate systems for signs of exploitation. Malware deployed via .dll payloads in particular are difficult to detect, and can be used to obtain machine keys.
- Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the IIS web server.
- Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.
- Monitor suspicious requests to the sign-out page:
/_layouts/SignOut.aspx is the exact HTTP header used by threat actors to exploit ToolPane.aspx for initial access
- Monitor for POSTs to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
- Update intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
- Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
- Employ robust cyber hygiene and hardening measures to prepare for, prevent, and mitigate ransomware incidents. For more information, see CISA and partners’ #StopRansomware Guide.
- Audit and minimize layout and admin privileges.
For more information on this vulnerability, please see Eye Security’s reporting and Palo Alto Networks Unit42’s post. CVE-2025-53770 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. CVE-2025-49706 and CVE-2025-49704 were added to the KEV on July 22, 2025.
Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.
CISA would like to acknowledge the contributions of the security researcher community in rapidly sharing insights that enabled CISA to notify critical infrastructure organizations impacted by this activity.
Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at SOC@mail.cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472).
Disclaimer:
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.