Microsoft has recently issued critical guidance concerning the active exploitation of vulnerabilities within on-premises SharePoint servers. These vulnerabilities, identified as CVE-2025-49704 and CVE-2025-49706, have been actively exploited, leading to unauthorized access and potential remote code execution on affected systems.
Understanding the Vulnerabilities
CVE-2025-49704 is characterized by improper control of code generation, allowing authenticated attackers to execute arbitrary code over a network. This vulnerability poses a significant risk, especially when combined with CVE-2025-49706, which involves improper authentication mechanisms that can be exploited for network spoofing. Together, these vulnerabilities form an exploit chain known as "ToolShell," enabling attackers to gain unauthorized access to SharePoint servers, access sensitive content, and execute code remotely.
Scope and Impact
The exploitation of these vulnerabilities has been widespread, affecting numerous organizations across various sectors, including finance, healthcare, and government agencies. Reports indicate that over 9,000 SharePoint servers remain potentially vulnerable, with active exploitation observed since mid-July 2025. Notably, SharePoint Online services are not impacted; the vulnerabilities specifically affect on-premises deployments.
Microsoft's Response and Guidance
In response to these threats, Microsoft has released security updates aimed at mitigating the risks associated with these vulnerabilities. The company advises organizations to apply the latest security patches immediately. Additionally, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) in SharePoint and deploying Microsoft Defender Antivirus on all SharePoint servers to enhance protection against potential exploits.
For organizations unable to implement AMSI, Microsoft suggests disconnecting affected servers from the internet until official mitigations are available. Once mitigations are provided, they should be applied promptly, following guidance from both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA).
Additional Vulnerabilities and Patch Bypasses
Further complicating the security landscape, Microsoft has identified additional vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which serve as patch bypasses for the initial vulnerabilities. These new vulnerabilities underscore the importance of continuous monitoring and prompt application of security updates.
Recommendations for Organizations
To mitigate the risks associated with these vulnerabilities, organizations are advised to:
- Apply Security Updates: Ensure that all relevant security patches released by Microsoft are applied without delay.
- Enable AMSI and Deploy Defender Antivirus: Configure AMSI in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers to detect and prevent exploitation attempts.
- Rotate Cryptographic Keys: After applying security updates, rotate ASP.NET machine keys and restart the IIS web server to invalidate any potentially compromised keys.
- Disconnect Unsupported Versions: Disconnect public-facing versions of SharePoint Server that have reached end-of-life or end-of-service from the internet to prevent exploitation.
- Monitor and Audit: Implement comprehensive logging to identify exploitation activity, monitor for specific indicators of compromise, and audit administrative privileges to minimize potential attack vectors.
The active exploitation of these SharePoint vulnerabilities highlights the critical need for organizations to maintain vigilant security practices, promptly apply security updates, and implement recommended mitigations. By adhering to Microsoft's guidance and continuously monitoring their systems, organizations can significantly reduce the risk of unauthorized access and potential data breaches.
Source: CISA UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities | CISA
