On July 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive requiring all Federal Civilian Executive Branch (FCEB) agencies to patch two critical SharePoint vulnerabilities: CVE-2025-49704 and CVE-2025-49706. These flaws, exploited in combination, enable unauthorized access and remote code execution on on-premise Microsoft SharePoint servers. Based on confirmation of ongoing exploitation, they have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Chinese State-Sponsored Hackers Linked to Exploit Chain
The attack chain, now tracked under the name “ToolShell,” has been attributed to Chinese state-sponsored threat groups Linen Typhoon and Violet Typhoon. The SharePoint zero-day chain combines a spoofing flaw with an insecure deserialization issue, effectively bypassing authentication protections. Microsoft has also disclosed related variants, CVE-2025-53770 and CVE-2025-53771, believed to be patch bypasses of the original bugs.
According to researchers at Akamai, CVE-2025-53770 allows attackers to exploit the system before authentication occurs, giving them full code execution capability through crafted requests that SharePoint treats as trusted.
Exploitation Tactics: PowerShell and VIEWSTATE Abuse
Once initial access is gained, attackers deploy web shells and execute PowerShell payloads designed to evade detection. Symantec observed malicious actors downloading a file named client.exe, renaming it as debug.js to avoid suspicion, then using it to execute batch scripts that extract system metadata and cryptographic secrets—including the MachineKey.
This key allows attackers to forge trusted VIEWSTATE payloads, a method that effectively enables long-term persistence on compromised systems even after updates are applied.
AMSI Bypass Undermines Recommended Mitigation
Microsoft initially advised enabling Antimalware Scan Interface (AMSI) as a defense mechanism; however, security researchers at watchTowr Labs demonstrated that AMSI can be bypassed entirely. “Organizations assuming that enabling AMSI is sufficient are placing themselves at serious risk,” said watchTowr CEO Benjamin Harris. “We’ve shown that AMSI will not stop nation-state actors who are already using these exploits effectively.”
Recommendations for SharePoint Security Teams
Given the severity of these remote code execution vulnerabilities and the active exploitation by advanced threat actors, organizations must move beyond temporary mitigations. Immediate steps include applying the latest SharePoint patches, reviewing endpoint logs for signs of compromise, and deploying robust Endpoint Detection and Response (EDR) solutions.
Security teams should also look for evidence of unauthorized VIEWSTATE manipulation, obfuscated PowerShell commands, and unexpected outbound connections from SharePoint servers. Full remediation is critical, partial fixes like enabling AMSI alone are not sufficient against this level of threat activity.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
