ToolShell: Details of CVEs Affecting SharePoint Servers

• CVE-2025-47904
• CVE-2025-49704
• CVE-2025-49706
• CVE-2025-53770
• CVE-2025-53771
• CVE-2025-573771


Cisco Talos is aware of the ongoing exploitation of _CVE-2025-53770_ and _CVE-2025-53771_ in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.

Microsoft has also _released_ security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.

These two vulnerabilities, _CVE-2025-53770_ / _CVE-2025-573771_, are related to _CVE-2025-49704_ and _CVE-2025-49706_, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also _released_ additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.

## Vulnerability details

These are both unauthenticated remote code execution vulnerabilities related to _CVE-2025-47904_ and _CVE-2025-49706_. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of _CVE-2025-53770_ and _CVE-2025-53771_, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution.

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually _via Powershell and via Central Admin_.

## Coverage

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.

### Related existing BP Rules:

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload


_Cisco Secure Endpoint_ (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free _here._

_Cisco Secure Email_ (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free _here_.

_Cisco Secure Firewall_ (formerly Next-Generation Firewall and Firepower NGFW) appliances such as _Threat Defense Virtual_, _Adaptive Security Appliance_ and _Meraki MX_ can detect malicious activity associated with this threat.

_Cisco Secure Network/Cloud Analytics_ (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

_Cisco Secure Malware Analytics_ (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

_Cisco Secure Access_ is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

_Umbrella_, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

_Cisco Secure Web Appliance_ (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the _Firewall Management Center_.

_Cisco Duo_ provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).