Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) AlertsCISA

July 20, 2025

CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. 
CISA recommends the following actions to reduce the risks associated with the RCE compromise: 

For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
Audit and minimize layout and admin privileges.

For more information on this vulnerability, please see Eye Security’s reporting and Palo Alto Unit42’s post.
Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.
Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.  
Disclaimer:  
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  

CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. 

CISA recommends the following actions to reduce the risks associated with the RCE compromise: 

  • For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
  • Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
  • Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
  • Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
  • Audit and minimize layout and admin privileges.

For more information on this vulnerability, please see Eye Security’s reporting and Palo Alto Unit42’s post.

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.  

Disclaimer:  

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

 

Read More

Share

In The News

Tech Jacks
Derrick Jackson is a IT Security Professional with over 10 years of experience in Cybersecurity, Risk, & Compliance and over 15 Years of Experience in Enterprise Information Technology

Leave A Reply


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.