CISA and Microsoft warn of “active attacks” on SharePoint

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned of a new remote code execution (RCE) vulnerability enabling unauthorised access to on-premise Microsoft SharePoint servers that Microsoft has reported is currently being exploited in active attacks by malicious actors. The US Federal Bureau of Investigation (FBI) has also confirmed it is aware of ongoing cyberattacks targeting SharePoint, but has not provided any further details.

SharePoint is widely used across organisations to exchange files and manage internal workflows.

In its alert, published on Sunday, Microsoft advised customers to apply available security updates immediately. The company noted that the zero-day vulnerability does not impact SharePoint Online for Microsoft 365 customers.

The CISA said that “while the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706” and poses a risk to both business and government organisations.

The exploit, publicly reported as ‘ToolShell’, provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

The CISA has recommended the following actions to reduce the risks associated with the RCE compromise:

• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender AV on all SharePoint servers.
• If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
• Follow CISA's BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
   

For information on detection, prevention, and advanced threat hunting measures, Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706 should be consulted.

The CISA is encouraging organisations to review all articles and security updates published by Microsoft on 8 July, 2025, relevant to the SharePoint platform deployed in their environment.

Organisations should also:

• Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Conduct scanning for IP addresses 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between 18-19 July 2025.
• Update intrusion prevention system and web application firewall rules to block exploit patterns and anomalous behaviour.
• Implement comprehensive logging to identify exploitation activity.
• Audit and minimise layout and admin privileges.

Image credit: iStock.com/matejmo