Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)

CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

CISA recommends the following actions to reduce the risks associated with the RCE compromise:

For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
Audit and minimize layout and admin privileges.

For more information on this vulnerability, please see Eye Security’s reporting and Palo Alto Unit42’s post.

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. 

Disclaimer:

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Related Posts

U.K. Cyber Thug “PlugwalkJoe” Gets 5 Years in Prison

Commerce Department Outlines Proposed National Security Guardrails for CHIPS for America Incentives Program

New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal

Microsoft has another go at closing security hole exploited by Magniber ransomware