Buy or Renew

Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief

Community Blogs

4 min read

Executive Summary

Latest update July 29, 2025

Unit 42 telemetry captured CVE-2025-53770 exploitation attempts from July 17, 2025, 08:40 UTC, through July 22, 2025, originating from threat activity tracked as CL-CRI-1040.

Pre-exploitation vulnerability testing of SharePoint servers by CL-CRI-1040 IP addresses was observed starting July 17, 2025, 06:58 UTC. A static targeting list of SharePoint servers is indicated by the exploitation attempt patterns.

One of the IP addresses exploiting CVE-2025-53770 as part of CL-CRI-1040 overlaps with the Storm-2603 cluster discussed by Microsoft. We are currently researching this cluster to gain further insight into the actors involved.

Unit 42 is tracking high-impact, ongoing threat activity targeting self-hosted Microsoft SharePoint servers. While SaaS environments remain unaffected, self-hosted SharePoint deployments — particularly within government, schools, healthcare (including hospitals) and large enterprise companies — are at immediate risk.

On-premises Microsoft SharePoint servers are currently facing widespread, active exploitation due to multiple vulnerabilities, collectively referred to as "ToolShell" (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771). These vulnerabilities enable attackers to achieve full remote code execution (RCE) without requiring any credentials. A compromised SharePoint server poses a significant risk to organizations, as it can serve as a gateway to other integrated Microsoft services.

In addition to the CVE reports, Microsoft has released further guidance on these vulnerabilities. The vulnerabilities, their CVSS scores and their descriptions are detailed in Table 1.

*CVE Number*	*Description*	*CVSS Score*
CVE-2025-49704	Improper control of generation of code (code injection) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.	8.8
CVE-2025-49706	Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.	6.5
CVE-2025-53770	Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.	9.8
CVE-2025-53771	Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.	6.5

Table 1. List of recent vulnerabilities affecting Microsoft SharePoint.

These vulnerabilities all apply to Microsoft SharePoint Enterprise Server 2016 and 2019. CVE-2025-49706 and CVE-2025-53770 also apply to Microsoft SharePoint Server Subscription Edition. Microsoft has stated that SharePoint Online in Microsoft 365 is not impacted.

We are currently working closely with the Microsoft Security Response Center (MSRC) to ensure that our customers have the latest information and we are actively notifying affected customers and other organizations. This situation is evolving rapidly, so it’s advisable to check Microsoft’s recommendations frequently.

We have observed active exploitation of these SharePoint vulnerabilities. Active exploitation of ToolShell vulnerabilities began mid-July 2025 and rapidly intensified following the public release of several proof-of-concept (PoC) exploits.

Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys.

The attackers have leveraged these vulnerabilities to get into systems and in some cases are already establishing their foothold. If you have SharePoint on-premises exposed to the internet, you should assume that you have been compromised. Patching alone is insufficient to fully evict the threat.

We are urging organizations who are running vulnerable on-premises SharePoint to take the following actions immediately:

Apply all relevant patches now and as they become available

Rotate all cryptographic material

Engage professional incident response

Palo Alto Networks also recommends following Microsoft’s patching or mitigation guidance. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771.

Additional guidance for CVE-2025-53770 and CVE-2025-53771.

Palo Alto Networks customers are better protected from these vulnerabilities in the following ways:

Cortex Xpanse has the ability to identify exposed SharePoint devices on the public internet and escalate these findings to defenders. Customers may also opt into Xpanse Attack Surface Testing.

Cortex XDR agents version 8.7 with content version 1870-19884 (or 1880-19902) will block known exploitation activities related to the exploitation chain of CVE-2025-49704 and CVE-2025-49706 and report known exploitation activities related to the chain of CVE-2025-53770 and CVE-2025-53771.

Cortex has released a playbook as part of the Cortex Response and Remediation Pack.

Cortex Cloud agents version 8.7 with content version 1880-20113 (or 1890-20101) will block known exploitation activities related to the exploitation chain of both CVE-2025-49704, CVE-2025-49706 as well as CVE-2025-53770, CVE-2025-53771.

Advanced URL Filtering and Advanced DNS Security identify known IP addresses associated with this activity as malicious.

Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771 exploitation.