\n<\/p>\n
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.<\/p>\n
To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025.<\/p>\n
“CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers,” the agency said in an updated advisory.<\/p>\n
<\/p>\n
The inclusion of the two shortcomings, a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell, to the KEV catalog comes after Microsoft revealed that Chinese hacking groups like Linen Typhoon and Violet Typhoon leveraged these flaws to breach on-premises SharePoint servers since July 7, 2025.<\/p>\n
As of writing, the tech giant’s own advisories only list CVE-2025-53770 as being exploited in the wild. What’s more, it describes the four flaws as below –<\/p>\n
* CVE-2025-49704 \u2013 SharePoint Remote Code Execution
* CVE-2025-49706 \u2013 SharePoint Post-auth Remote Code Execution
* CVE-2025-53770 \u2013 SharePoint ToolShell Authentication Bypass and Remote Code Execution
* CVE-2025-53771 \u2013 SharePoint ToolShell Path Traversal<\/p>\n
The fact that CVE-2025-53770 is both an authentication bypass and a remote code execution bug indicates that CVE-2025-53771 is not necessary to build the exploit chain. CVE-2025-53770 and CVE-2025-53771 are assessed to be patch bypasses for CVE-2025-49704 and CVE-2025-49706, respectively.<\/p>\n
“The root cause [of CVE-2025-53770] is a combination of two bugs: An authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704),” the Akamai Security Intelligence Group said.<\/p>\n
When reached for comment regarding the exploitation status of CVE-2025-53771 and other flaws, a Microsoft spokesperson told The Hacker News that the information published in its advisories is correct “at the time of original publication” and that it does not typically update post-release.<\/p>\n
“Microsoft also assists CISA with the Known Exploited Vulnerabilities Catalog which provides regularly updated information on exploited vulnerabilities,” the spokesperson added.<\/p>\n
<\/p>\n
The development comes as watchTowr Labs told the publication that it has internally devised a method exploiting CVE-2025-53770 such that it bypasses Antimalware Scan Interface (AMSI), a mitigation step outlined by Microsoft to prevent unauthenticated attacks.<\/p>\n
“This has allowed us to continue identifying vulnerable systems even after mitigations like AMSI have been applied,” watchTowr CEO Benjamin Harris said. “AMSI was never a silver bullet, and this outcome was inevitable. But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea.”<\/p>\n
“Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI. Organizations must patch. Should go without saying \u2013 all the public PoCs will trigger AMSI, and mislead organizations into believing the mitigations are comprehensive\/the host is no longer vulnerable. This would be incorrect.”<\/p>\n
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks Update ID THN:BD0739C6C8CFD7EC77190EA1D49743C8 Type thn Published…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,13,7,11,43,5],"class_list":["post-8751","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8751\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks Update ID THN:BD0739C6C8CFD7EC77190EA1D49743C8 Type thn Published...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8751\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-23T00:39:52+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks\",\"datePublished\":\"2025-07-23T00:39:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751\"},\"wordCount\":618,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8751#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751\",\"name\":\"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-23T00:39:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8751\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8751#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8751","og_locale":"en_US","og_type":"article","og_title":"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks - zero redgem","og_description":"Security Update News Update Information Title CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks Update ID THN:BD0739C6C8CFD7EC77190EA1D49743C8 Type thn Published...","og_url":"https:\/\/zero.redgem.net\/?p=8751","og_site_name":"zero redgem","article_published_time":"2025-07-23T00:39:52+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8751#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8751"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks","datePublished":"2025-07-23T00:39:52+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8751"},"wordCount":618,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8751#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8751","url":"https:\/\/zero.redgem.net\/?p=8751","name":"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-23T00:39:52+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8751#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8751"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8751#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8751"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8751\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}