CISA Alerts on Chinese Hackers Actively Exploiting SharePoint 0-Day

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding active exploitation of critical SharePoint vulnerabilities by threat actors, with security researchers attributing the attacks to Chinese hackers.

The agency warns that malicious actors are leveraging a vulnerability chain dubbed “ToolShell” to gain unauthorized access to on-premises SharePoint servers across organizations.

Critical Vulnerability Chain Under Active Attack

CISA confirmed that attackers are actively exploiting two critical vulnerabilities: CVE-2025-49706, a network spoofing vulnerability, and CVE-2025-49704, a remote code execution (RCE) vulnerability. 

This dangerous combination enables threat actors to achieve both unauthenticated system access and authenticated access through network spoofing techniques. 

The vulnerability chain provides attackers with comprehensive control over SharePoint environments, allowing them to access file systems, internal configurations, and execute arbitrary code across networks.

The scope and impact of these attacks continue to be assessed, but the implications are severe for organizations running vulnerable SharePoint installations.

Security researchers have noted that the ToolShell attack chain represents a significant threat to enterprise environments, particularly those with public-facing SharePoint deployments.

Microsoft Response and Additional Vulnerabilities

Microsoft has responded swiftly to the threat, releasing security updates and detailed guidance for organizations to protect their systems. 

The company has also identified two additional CVEs that pose potential risks: CVE-2025-53771, which serves as a patch bypass for CVE-2025-49706, and CVE-2025-53770, a patch bypass for CVE-2025-49704. 

While these bypass vulnerabilities are not currently under active exploitation, their existence underscores the sophistication of the threat landscape.

CISA has issued comprehensive guidance urging organizations to take immediate action. The agency recommends applying Microsoft’s security updates immediately and configuring the Antimalware Scan Interface (AMSI) in SharePoint environments. 

For organizations unable to enable AMSI, CISA advises disconnecting public-facing SharePoint products from internet access until official mitigations become available.

Additional protective measures include rotating ASP.NET machine keys both before and after applying security updates, monitoring for suspicious POST requests to specific SharePoint endpoints, and implementing enhanced logging capabilities. 

Organizations should also scan for specific IP addresses associated with the attacks, particularly 107.191.58.76, 104.238.159.149, and 96.9.125.147, which showed activity between July 18-19, 2025.

The vulnerabilities have been rapidly added to CISA’s Known Exploited Vulnerabilities catalog, with CVE-2025-53770 added on July 20, 2025, followed by CVE-2025-49706 and CVE-2025-49704 on July 22, 2025. 

Security firms including Eye Security and Palo Alto Networks Unit42 have published detailed analyses of the attack techniques.

Organizations are urged to report any incidents or anomalous activity to CISA’s 24/7 Operations Center immediately, as the agency continues monitoring this evolving threat landscape.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now