The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025.
“CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers,” the agency said in an updated advisory.
The inclusion of the two shortcomings, a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell, to the KEV catalog comes after Microsoft revealed that Chinese hacking groups like Linen Typhoon and Violet Typhoon leveraged these flaws to breach on-premises SharePoint servers since July 7, 2025.
As of writing, the tech giant’s own advisories only list CVE-2025-53770 as being exploited in the wild. What’s more, it describes the four flaws as below –
- CVE-2025-49704 – SharePoint Remote Code Execution
- CVE-2025-49706 – SharePoint Post-auth Remote Code Execution
- CVE-2025-53770 – SharePoint ToolShell Authentication Bypass and Remote Code Execution
- CVE-2025-53771 – SharePoint ToolShell Path Traversal
The fact that CVE-2025-53770 is both an authentication bypass and a remote code execution bug indicates that CVE-2025-53771 is not necessary to build the exploit chain. CVE-2025-53770 and CVE-2025-53771 are assessed to be patch bypasses for CVE-2025-49704 and CVE-2025-49706, respectively.
“The root cause [of CVE-2025-53770] is a combination of two bugs: An authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704),” the Akamai Security Intelligence Group said.
When reached for comment regarding the exploitation status of CVE-2025-53771 and other flaws, a Microsoft spokesperson told The Hacker News that the information published in its advisories is correct “at the time of original publication” and that it does not typically update post-release.
“Microsoft also assists CISA with the Known Exploited Vulnerabilities Catalog which provides regularly updated information on exploited vulnerabilities,” the spokesperson added.
The development comes as watchTowr Labs told the publication that it has internally devised a method exploiting CVE-2025-53770 such that it bypasses Antimalware Scan Interface (AMSI), a mitigation step outlined by Microsoft to prevent unauthenticated attacks.
“This has allowed us to continue identifying vulnerable systems even after mitigations like AMSI have been applied,” watchTowr CEO Benjamin Harris said. “AMSI was never a silver bullet, and this outcome was inevitable. But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea.”
“Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI. Organizations must patch. Should go without saying – all the public PoCs will trigger AMSI, and mislead organizations into believing the mitigations are comprehensive/the host is no longer vulnerable. This would be incorrect.”
