Full Report
CISA has issued an urgent alert regarding active exploitation of critical Microsoft SharePoint vulnerabilities by suspected Chinese threat actors. The attack campaign, dubbed “ToolShell,” leverages a vulnerability chain involving CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution) to gain unauthorized access to on-premises SharePoint servers. The sophisticated attack enables malicious actors to achieve both unauthenticated […] The post CISA Warns of Chinese Hackers Exploiting SharePoint 0-Day Flaws in Active Exploitation appeared first on Cyber Security News.
Analysis Summary
# Incident Report: Active Exploitation of SharePoint 0-Day Flaws by Chinese Threat Actors (ToolShell Campaign)
## Executive Summary
Suspected Chinese threat actors initiated an active exploitation campaign, dubbed "ToolShell," targeting on-premises Microsoft SharePoint servers using a chain of two zero-day vulnerabilities (CVE-2025-49706 and CVE-2025-49704). The exploitation granted attackers unauthenticated access, leading to arbitrary code execution and full system compromise, including access to internal configurations and file systems. CISA issued an urgent alert, prompting Microsoft to rapidly release emergency patches, followed by subsequent advisories for patch bypasses.
## Incident Details
- **Discovery Date:** Prior to July 22, 2025 (as emergency patches were released on this date due to *active exploitation*)
- **Incident Date:** Activity observed around July 18-19, 2025.
- **Affected Organization:** Undisclosed organizations using on-premises Microsoft SharePoint servers.
- **Sector:** General (targeting organizations using SharePoint).
- **Geography:** Global (CISA alert suggests broad applicability).
## Timeline of Events
### Initial Access
- **Date/Time:** On or before July 18-19, 2025.
- **Vector:** Exploitation chain involving CVE-2025-49706 (Network Spoofing) and CVE-2025-49704 (RCE).
- **Details:** The attack chain allowed threat actors to achieve unauthenticated system access, possibly leveraging the spoofing vulnerability ($\text{CVE-2025-49706}$) to facilitate the Remote Code Execution ($\text{CVE-2025-49704}$). The primary initial attack vector observed was suspicious POST requests to the endpoint `/ _layouts/15/ToolPane.aspx?DisplayMode=Edit`.
### Lateral Movement
- **Details:** Once compromised, attackers gained the capability to execute arbitrary code across the network infrastructure, implying potential for lateral movement beyond the initial SharePoint server.
### Data Exfiltration/Impact
- **Details:** Attackers could achieve full access to SharePoint content, including file systems and internal configurations. The RCE capability facilitates broader data exfiltration and persistence.
### Detection & Response
- **How it was discovered:** Security researchers (Eye Security and Palo Alto Networks Unit42) provided detailed analysis; CISA issued an alert based on this active exploitation.
- **Response actions taken:** Microsoft released comprehensive security patches and guidance on July 22, 2025. CISA provided monitoring advice and recommended immediate patching.
## Attack Methodology
- **Initial Access:** Exploiting vulnerability chain involving $\text{CVE-2025-49706}$ (Network Spoofing) and $\text{CVE-2025-49704}$ (RCE). Enabled both unauthenticated and authenticated access via spoofing.
- **Persistence:** Not explicitly detailed, but RCE capability suggests methods could be established post-exploitation.
- **Privilege Escalation:** The RCE vulnerability (CVSS 8.8) likely allowed elevation post-initial access to achieve "full system access."
- **Defense Evasion:** Not explicitly detailed, but the use of 0-days implies successful evasion prior to patch release.
- **Credential Access:** Not explicitly detailed, but full access to configurations might yield credentials.
- **Discovery:** Arbitrary code execution would facilitate internal reconnaissance.
- **Lateral Movement:** Implied through the attacker's ability to execute code across the network infrastructure.
- **Collection:** Full access to SharePoint content and file systems.
- **Exfiltration:** Implied via arbitrary code execution capabilities.
- **Impact:** Full system compromise and potential data loss/system disruption.
## Impact Assessment
- **Financial:** Not estimated in the source.
- **Data Breach:** Access to SharePoint content, file systems, and internal configurations. Details on the volume/type of data are not specified.
- **Operational:** High potential for operational disruption due to RCE on core infrastructure servers.
- **Reputational:** Increased regulatory and customer scrutiny due to CISA warnings and active exploitation by state-sponsored actors.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Suspicious POST requests targeting the endpoint: `/ _layouts/15/ToolPane.aspx?DisplayMode=Edit`
- Connections originating from:
- $107.191.58[.]76$
- $104.238.159[.]149$
- $96.9.125[.]147$
- Focus monitoring activity between July 18-19, 2025.
- **File Indicators:** Not provided.
- **Behavioral Indicators:** Execution of arbitrary code on SharePoint servers following successful exploitation.
## Response Actions
- **Containment:** Immediate implementation of Microsoft's emergency security updates released July 22, 2025. Monitoring identified IoCs.
- **Eradication:** If patch bypasses ($\text{CVE-2025-53771}$ and $\text{CVE-2025-53770}$) are applicable, applying subsequent patches is necessary.
- **Recovery:** Rotating $\text{ASP.NET}$ machine keys (both before and after patching) and restarting IIS web servers to ensure full protection.
- **Configuration:** Configuring the Antimalware Scan Interface ($\text{AMSI}$) within SharePoint environments.
## Lessons Learned
- **Key Takeaways:** Zero-day vulnerability chains targeting widely used enterprise software (SharePoint) remain a critical threat, especially when exploited by sophisticated actors (suspected Chinese actors). Rapid attribution and vendor response (patches issued swiftly) are vital.
- **What could have been done better:** Organizations using $\text{End-of-Life}$ SharePoint systems should have disconnected them immediately, as these are often unpatchable and high-risk targets.
## Recommendations
- Immediately apply all Microsoft security updates related to $\text{CVE-2025-49706}$, $\text{CVE-2025-49704}$, and the identified patch bypasses ($\text{CVE-2025-53771}$, $\text{CVE-2025-53770}$).
- Configure and enforce $\text{AMSI}$ scanning for all SharePoint environments.
- Implement $\text{WAF}$ rules and $\text{IPS}$ updates to specifically block suspicious POST requests to the identified sensitive endpoint (`ToolPane.aspx`).
- For systems running $\text{End-of-Life}$ SharePoint versions, isolate or decommission them immediately.
- Ensure robust logging is in place across all web application servers for proactive detection.