On July 22, 2025, the US Cyber Security and Infrastructure Security Agency (CISA) added two Microsoft Sharepoint Flaws, CVE-2025-49704 and CVE-2025-49706 to its known exploiting sulogics (Kev) catalogs.
By that end, the Federal Citizen Executive Branch (FCEB) agencies need to remove the weaknesses identified by July 23, 2025.
The agency said in an updated advisor, “CISA is aware of the active exploitation of a spruching and RCE vulnerability chain, including CVE-2025-49706 and CVE-2025-49704, which enabled unauthorized access to on-primeses SharePoint servers.”
Including two deficiencies, a spuofing vulnerability and a distance code execution vulnerability was collectively tracked as toolshell, after Microsoft for Kev Catalogs that Chinese hacking groups such as linen typhoon and violet typhoon broke these falls since July 7, 2025.
As a writing, the tech veteran’s own advice lists CVE-2025–53770 as exploitation in the wild. What is more, it describes four defects as below –
- Cve-2025-49704-sharepoint distance code execution
- Cve-2025-49706-sharepoint post-on remote code execution
- Cve-2025-53770-sharepoint toolshell certification bypass and remote code execution
- Cve-2025-53771-sharepoint toolsshell path traversal
The fact is that CVE-2025-537770 is both a certification bypass and a remote code execution bug indicates that CVE-2025-537771 is not necessary to create an exploitation chain. CVE-2025-53770 and CVE-2025-53771 are evaluated to be the patch bypass for CVE-2025-49704 and CVE-2025-49706 respectively.
“Rotable reason [of CVE-2025-53770] There is a combination of two bugs: a certification bypass (CVE-2025-49706) and an unsafe deserialization vulnerability (CVE-2025-49704), “said the Akamai Security Intelligence Group.
When CVE-2025-537771 arrived to comment about the exploitation of other flaws, a Microsoft spokesperson told Hacker News that the information published in its advice is “correct at the time of original publication” and it usually does not update post-reliefs.
“Microsoft CISA also helps the Microsoft CISA with a exploited vulnerability catalog which provides regular update information on the weaknesses of exploitation.”
As development, Watchtower Labs told the publication that it has prepared a method of exploiting the CVE-2025-53770 in the intermediate, such as this antimalware bypasses the scan interface (AMSI), which is a mitigated step mentioned by Microsoft to prevent unpublished attacks.
“This has allowed us to continue the identity of weak systems even after mitigation like AMSI,” said Watchtower CEO Benjamin Harris. “AMSI was never a silver pill, and this result was unavoidable. But we are worried that some organizations are choosing ‘enabling’ AMSI ‘instead of patching. This is a very bad idea.”
“Now that the exploitation is associated with nation-state actors, it would be innocent to think that they can avail a Sharepoint zero-day, but do not bypass AMSI in any way. Organizations should be patched. It should be patched without saying this-all public POCs should be triggered, and misguided organizations do not believe that they are not masman/host.”
