{
	"id": "80da67b3-e4fe-45ba-929e-89163ebc6a97",
	"created_at": "2026-04-06T00:10:34.328951Z",
	"updated_at": "2026-04-10T13:11:35.006512Z",
	"deleted_at": null,
	"sha1_hash": "5a536edf20746a82a5a1ebc7812ee5964f383761",
	"title": "Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1129773,
	"plain_text": "Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat\r\nBrief (Updated August 12)\r\nBy Unit 42\r\nPublished: 2025-07-31 · Archived: 2026-04-05 21:08:39 UTC\r\nEnglish\r\nGerman\r\nEnglish\r\nSpanish (LATAM)\r\nFrench\r\nJapanese\r\nKorean\r\nChinese (Traditional)\r\nExecutive Summary\r\nUnit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft\r\nSharePoint customer guidance for the latest information.\r\nUpdate July 31, 2025 \r\nAn investigation into ToolShell exploitation revealed the deployment of 4L4MD4R ransomware, a variant of the open-source Mauri870 ransomware.\r\nA failed exploitation attempt on July 27, 2025, involving an encoded PowerShell command, led to the discovery of a\r\nloader designed to download and execute the ransomware from hxxps://ice.theinnovationfactory[.]it/static/4l4md4r.exe\r\n(145.239.97[.]206).\r\nThe PowerShell command attempted to disable real-time monitoring and bypass certificate validation. Full details are\r\nin the Scope of Attack section.\r\nUpdate July 29, 2025\r\nUnit 42 telemetry captured CVE-2025-53770 exploitation attempts from July 17, 2025, 08:40 UTC, through July 22,\r\n2025, originating from threat activity tracked as CL-CRI-1040.\r\nPre-exploitation vulnerability testing of SharePoint servers by CL-CRI-1040 IP addresses was observed starting July\r\n17, 2025, 06:58 UTC. A static targeting list of SharePoint servers is indicated by the exploitation attempt patterns.\r\nOne of the IP addresses exploiting CVE-2025-53770 as part of CL-CRI-1040 overlaps with the Storm-2603 cluster\r\ndiscussed by Microsoft. We are currently researching this cluster to gain further insight into the actors involved.\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 1 of 19\n\nUnit 42 is tracking high-impact, ongoing threat activity targeting self-hosted Microsoft SharePoint servers. While SaaS\r\nenvironments remain unaffected, self-hosted SharePoint deployments — particularly within government, schools,\r\nhealthcare (including hospitals) and large enterprise companies — are at immediate risk.\r\nOn-premises Microsoft SharePoint servers are currently facing widespread, active exploitation due to multiple\r\nvulnerabilities, collectively referred to as \"ToolShell\" (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771). These vulnerabilities enable attackers to achieve full remote code execution (RCE) without requiring any\r\ncredentials. A compromised SharePoint server poses a significant risk to organizations, as it can serve as a gateway to\r\nother integrated Microsoft services.\r\nIn addition to the CVE reports, Microsoft has released further guidance on these vulnerabilities. The vulnerabilities,\r\ntheir CVSS scores and their descriptions are detailed in Table 1.\r\nCVE\r\nNumber\r\nDescription\r\nCVSS\r\nScore\r\nCVE-2025-\r\n49704\r\nImproper control of generation of code (code injection) in Microsoft Office\r\nSharePoint allows an authorized attacker to execute code over a network.\r\n8.8\r\nCVE-2025-\r\n49706\r\nImproper authentication in Microsoft Office SharePoint allows an unauthorized\r\nattacker to perform spoofing over a network.\r\n6.5\r\nCVE-2025-\r\n53770\r\nDeserialization of untrusted data in on-premises Microsoft SharePoint Server allows\r\nan unauthorized attacker to execute code over a network.\r\n9.8\r\nCVE-2025-\r\n53771\r\nImproper limitation of a pathname to a restricted directory (path traversal) in\r\nMicrosoft Office SharePoint allows an unauthorized attacker to perform spoofing over\r\na network.\r\n6.5\r\nTable 1. List of recent vulnerabilities affecting Microsoft SharePoint.\r\nThese vulnerabilities all apply to Microsoft SharePoint Enterprise Server 2016 and 2019. CVE-2025-49706 and CVE-2025-53770 also apply to Microsoft SharePoint Server Subscription Edition. Microsoft has stated that SharePoint\r\nOnline in Microsoft 365 is not impacted.\r\nWe are currently working closely with the Microsoft Security Response Center (MSRC) to ensure that our customers\r\nhave the latest information and we are actively notifying affected customers and other organizations. This situation is\r\nevolving rapidly, so it’s advisable to check Microsoft’s recommendations frequently.\r\nWe have observed active exploitation of these SharePoint vulnerabilities. Active exploitation of ToolShell\r\nvulnerabilities began mid-July 2025 and rapidly intensified following the public release of several proof-of-concept\r\n(PoC) exploits.\r\nAttackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to\r\ngain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing\r\ncryptographic keys.\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 2 of 19\n\nThe attackers have leveraged these vulnerabilities to get into systems and in some cases are already establishing their\r\nfoothold. If you have SharePoint on-premises exposed to the internet, you should assume that you have been\r\ncompromised. Patching alone is insufficient to fully evict the threat.\r\nWe are urging organizations who are running vulnerable on-premises SharePoint to take the following actions\r\nimmediately:\r\nApply all relevant patches now and as they become available\r\nRotate all cryptographic material\r\nEngage professional incident response\r\nPalo Alto Networks also recommends following Microsoft’s patching or mitigation guidance. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771.\r\nAdditional guidance for CVE-2025-53770 and CVE-2025-53771.\r\nPalo Alto Networks customers are better protected from these vulnerabilities in the following ways:\r\nCortex Xpanse has the ability to identify exposed SharePoint devices on the public internet and escalate these\r\nfindings to defenders. Customers may also opt into Xpanse Attack Surface Testing.\r\nCortex XDR agents version 8.7 with content version 1870-19884 (or 1880-19902) will block known exploitation\r\nactivities related to the exploitation chain of CVE-2025-49704 and CVE-2025-49706 and report known\r\nexploitation activities related to the chain of CVE-2025-53770 and CVE-2025-53771.\r\nCortex has released a playbook as part of the Cortex Response and Remediation Pack.\r\nCortex Cloud agents version 8.7 with content version 1880-20113 (or 1890-20101) will block known\r\nexploitation activities related to the exploitation chain of both CVE-2025-49704, CVE-2025-49706 as well as\r\nCVE-2025-53770, CVE-2025-53771.\r\nAdvanced URL Filtering and Advanced DNS Security identify known IP addresses associated with this activity\r\nas malicious.\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block all four\r\nCVEs associated with ToolShell: CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-\r\n53771.\r\nThe Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive\r\nassessment.\r\nVulnerabilities Discussed CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771\r\nDetails of the Vulnerabilities\r\nCVE-2025-49704 and CVE-2025-49706 are a critical set of vulnerabilities that impact Microsoft SharePoint, allowing\r\nunauthenticated threat actors to access functionality that's normally restricted. When chained together, they allow an\r\nattacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint.\r\nActive attacks are targeting on-premises SharePoint Server customers by exploiting a variant of CVE-2025-49706. This\r\nnew variant has been assigned CVE-2025-53770. Microsoft has also announced a fourth SharePoint vulnerability\r\nassigned CVE-2025-53771.\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 3 of 19\n\nWhat makes these vulnerabilities especially concerning is SharePoint’s deep integration with Microsoft’s platform,\r\nincluding their services like Office, Teams, OneDrive and Outlook, which have significant information that’s valuable\r\nto attackers. A compromise in this situation doesn’t stay contained, it opens the door to the entire network.\r\nCurrent Scope of the Attack Using CVE-2025-49706, CVE-2025-49704, CVE-2025-\r\n53770 and CVE-2025-53771\r\nUpdate July 31, 2025 – Exploitation of ToolShell for Ransomware\r\nAn investigation into ToolShell exploitation revealed the deployment of 4L4MD4R ransomware, a variant of the open-source Mauri870 ransomware. A failed exploitation attempt on July 27, 2025, involving an encoded PowerShell\r\ncommand, led to the discovery of a loader designed to download and execute the ransomware from\r\nhxxps://ice.theinnovationfactory[.]it/static/4l4md4r.exe (145.239.97[.]206). The PowerShell command attempted to\r\ndisable real-time monitoring and bypass certificate validation.\r\nAnalysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample\r\ndecrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new\r\nthread to execute it. The ransomware encrypts files and demands a ransom of 0.005 BTC, providing a contact email\r\n(m4_cruise@proton[.]me) and a Bitcoin wallet address (bc1qqxqe9vsvjmjqc566fgqsgnhlh87fckwegmtg6p) for\r\npayment.\r\nThe ransomware generates two files on the desktop: DECRYPTION_INSTRUCTIONS.html (the ransom note) and\r\nENCRYPTED_LIST.html (a list of encrypted files), as it's observed in Mauri870 ransomware source code.\r\nAdditionally, the sample had a configured C2 server bpp.theinnovationfactory[.]it:445 that sends the encrypted JSON\r\nobject via a POST request.\r\nFigure 1a and 1b show the ransom note and the decryption instructions from the attackers, respectively.\r\nFigure 1a. Ransom note from 4L4MD4R.\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 4 of 19\n\nFigure 1b. Decryption instructions.\r\nUpdate July 29, 2025 – Overlap of Activity With Storm-2603\r\nUnit 42 collected and analyzed activity related to CVE-2025-53770 exploitation attempts from internal telemetry\r\nsources. We first observed CVE-2025-53770 exploitation on July 17, 2025, as early as 08:40 UTC, through July 22,\r\n2025, from IP addresses we track in a cluster named CL-CRI-1040. Starting at July 17, 2025, 06:58 UTC, we observed\r\nIP addresses associated with CL-CRI-1040 testing SharePoint servers to check if they were vulnerable before\r\nexploitation attempts. Also, we noticed a pattern in exploitation attempts that suggests the actors are using a static\r\ntargeting list of SharePoint servers.\r\nThe actors associated with this activity appear to have adjusted their tactics and techniques within this short time frame\r\nby rapidly changing infrastructure and payloads in an attempt to evade detection. These actors pivoted from delivering\r\n.NET modules as payloads upon successful exploitation to a web shell payload with similar functionality. After the web\r\nshells were discussed in public blogs, we observed the actors reverting back to delivering the previously seen .NET\r\nmodules as payloads.\r\nFrom an attribution perspective, one of the IP addresses exploiting CVE-2025-53770 as part of CL-CRI-1040 overlaps\r\nwith the Storm-2603 cluster discussed by Microsoft. We are currently researching this cluster to gain further insight into\r\nthe actors involved.\r\nInitial Reconnaissance\r\nBefore attempting to exploit CVE-2025-53770, the threat actors appeared to perform an initial phase of reconnaissance\r\nto make sure the remote servers were running a vulnerable version of SharePoint. Starting July 17, 2025, 06:58 UTC,\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 5 of 19\n\nwe observed HTTP GET requests for /_layouts/15/ToolPane.aspx?DisplayMode=Edit\u0026a=/ToolPane.aspx with a User-Agent of python-requests/2.32.3 and no referrer field from the following IP addresses:\r\n45.86.231[.]241\r\n51.161.152[.]26\r\n91.236.230[.]76\r\n92.222.167[.]88\r\nAccording to Cortex Xpanse telemetry, all of these IP addresses are exit nodes associated with the Safing Privacy\r\nNetwork (SPN). We believe the actor attempted to hide their location by using SPN to send these HTTP GET requests\r\nfrom a test script to check the actor's targeting list prior to exploitation attempts. We believe the actor was using a\r\ntargeting list due to the same sequential order in the HTTP GET requests to the HTTP POST requests from the\r\nexploitation attempts from the following IP addresses:\r\n96.9.125[.]147\r\n107.191.58[.]76\r\n104.238.159[.]149\r\nPayloads Delivered\r\nAs previously mentioned, the following IP addresses are associated with CL-CRI-1040 even though they deliver\r\ndifferent payloads upon successful exploitation of CVE-2025-53770:\r\n96.9.125[.]147\r\n107.191.58[.]76\r\n104.238.159[.]149\r\nTelemetry confirmed that 96.9.125[.]147 initiated SharePoint vulnerability exploitation at 08:58 UTC on July 17,\r\ndelivering a custom .NET assembly module named qlj22mpc as a payload. The next day, on July 18, the IP address\r\ndelivered a new payload named bjcloiyq. Both of these .NET modules would exfiltrate cryptographic MachineKeys\r\nfrom the SharePoint server in a pipe delimited (“|”) string within the HTTP response that the actor could use for future\r\naccess to the server.\r\nOn July 18 and 19, the CL-CRI-1040 IP addresses 107.191.58[.]76 and 104.238.159[.]149 delivered a completely new\r\npayload upon successful exploitation of CVE-2025-53770. Instead of running a .NET module after exploiting the\r\nvulnerability, these IP addresses delivered a payload that runs an encoded PowerShell command discussed in the\r\nVariation 2 and Variation 3 sections to save to a web shell to spinstall0.aspx.\r\nThis web shell was delivered to exfiltrate cryptographic MachineKeys from the SharePoint server in a pipe delimited\r\n(“|”) string when accessing spinstall0.aspx, which responds with the same MachineKeys fields in the same order as the\r\npreviously mentioned .NET modules.\r\nThe actors associated with CL-CRI-1040 who exploit CVE-2025-53770 show an ability to adjust their tactics and\r\ntechniques during an operation. They pivoted from .NET modules as payloads to a web shell payload with similar\r\nfunctionality. They then reverted back to using .NET modules as payloads after the web shells were discussed in public\r\nblogs, such as Eye Security’s research blog on the exploitation of CVE-2025-53770.\r\nTargeting List\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 6 of 19\n\nWe noticed a targeting pattern that suggests the actors employed a targeting list. We ordered their activity based on time\r\nand took a sampling of the activity across four distinct targets. We will refer to the targets as IPv4 1, IPv4 2, IPv4 3 and\r\nDomain 1 to redact the impacted organizations.\r\nFirst, we observed 91.236.230[.]76 performing HTTP GET requests for /_layouts/15/ToolPane.aspx?\r\nDisplayMode=Edit\u0026a=/ToolPane.aspx in the following order:\r\nIPv4 1 – July 17, 2025, 07:29 UTC\r\nIPv4 2 – July 17, 2025, 07:32 UTC\r\nIPv4 3 – July 17, 2025, 07:33 UTC\r\nDomain 1 – July 17, 2025, 07:52 UTC\r\nWe then observed the 96.9.125[.]147 IP address issuing HTTP POST requests for /_layouts/15/ToolPane.aspx?\r\nDisplayMode=Edit\u0026a=/ToolPane.aspx with a referrer of /_layouts/SignOut.aspx when attempting to exploit the\r\nSharePoint vulnerability on the same target aliases in the same order:\r\nIPv4 1 – July 17, 2025, 09:31 UTC\r\nIPv4 2 – July 17, 2025, 09:36 UTC\r\nIPv4 3 – July 17, 2025, 09:37 UTC\r\nDomain 1 – July 17, 2025, 10:17 UTC\r\nThe next day, on July 18, 2025, we saw 107.191.58[.]76 issuing an HTTP POST request to /_layouts/15/ToolPane.aspx?\r\nDisplayMode=Edit\u0026a=/ToolPane.aspx followed by an HTTP GET request to /_layouts/15/spinstall0.aspx in the same\r\norder:\r\nIPv4 1 – July 18, 2025, 14:01 UTC\r\nIPv4 2 – July 18, 2025, 14:05 UTC\r\nIPv4 3 – July 18, 2025, 14:07 UTC\r\nDomain 1 – July 18, 2025, 15:01 UTC\r\nLastly, the next day (July 19, 2025) we saw the same HTTP POST and GET request activity from 104.238.159[.]149 as\r\n107.191.58[.]76:\r\nIPv4 1 – July 19, 2025, 03:43 UTC\r\nIPv4 2 – July 19, 2025, 03:48 UTC\r\nIPv4 3 – July 19, 2025, 03:49 UTC\r\nDomain 1 – July 19, 2025, 04:41 UTC\r\nThe pattern above shows the same sequence of targets with a similar delta between the individual events across the\r\ninitial set of testing requests, followed by the three sets of exploitation requests.\r\nAttribution\r\nThe CL-CRI-1040 IP address 104.238.159[.]149 seen exploiting CVE-2025-53770 was also attributed by Microsoft to\r\ntheir cluster named Storm-2603. Microsoft also mentioned that Storm-2603 delivered a web shell named spinstall0.aspx\r\nwith a SHA256 hash of 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514, which is a direct\r\noverlap with our observations of activity associated with 104.238.159[.]149. We assess with moderate confidence that\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 7 of 19\n\nCL-CRI-1040 overlaps with Storm-2603 and will continue to analyze activity associated with CL-CRI-1040 to gain\r\nmore insight into this cluster.\r\nUnit 42, and other organizations including Microsoft, have observed widespread active exploitation of these\r\nvulnerabilities.\r\nOur telemetry reveals a clear evolution in the SharePoint ToolShell attack campaign, progressing through two distinct\r\nphases:\r\nA pre-PoC phase\r\nA widespread post-PoC phase\r\nBased on endpoint telemetry, we have created an activity volume representation that illustrates patterns observed over\r\ntime, shown in Figure 2.\r\nFigure 2. Activity volume over time based on endpoint telemetry.\r\nActivity Timeline\r\nMay 17, 2025: Cyber Security News reported that at Pwn2Own Berlin, Dinh Ho Anh Khoa (@_l0gg) of Viettel\r\nCyber Security chained together two vulnerabilities in SharePoint to gain unauthorized access. These would\r\nbecome CVE-2025-49704 and CVE-2025-49706. @l0gg later named this attack chain “ToolShell.”\r\nJuly 8, 2025: Microsoft published CVE-2025-49704 and CVE-2025-49706. At the time of publishing, Microsoft\r\nindicated that exploitation had not yet been seen.\r\nJuly 14, 2025: Less than a week after the CVE records were published, the offensive security team from Code\r\nWhite GmbH demonstrated that they could reproduce an unauthenticated exploit chain associated with these\r\nvulnerabilities in SharePoint.\r\nJuly 19, 2025: Microsoft published information on CVE-2025-53770 and CVE-2025-53771. Exploitation had\r\nalready been seen at the time of publication and Microsoft noted that CVE-2025-53770 was a variant of CVE-2025-49706.\r\nAs of July 21, 2025, multiple PoC have been posted on GitHub.\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 8 of 19\n\nUnit 42 Managed Threat Hunting Team has identified three different variations of exploitation activity, as early as July\r\n17.\r\nVariation 1\r\nIn this variation, we observed a command execution of a command shell invoking a PowerShell command. It attempted\r\nto iterate through web.config files on the endpoint and store the contents of those files into a file named debug_dev.js.\r\nFigure 3 shows the commands observed.\r\nFigure 3. Commands seen in active exploitation of the SharePoint vulnerability.\r\nThe commands shown in Figure 3 perform the following actions:\r\nSetting the source directory to iterate over for web.config files\r\nCreating an empty file named debug_dev.js\r\nIterating over the source directory for web.config files\r\nIf the web.config file exists, adding the data from web.config to debug_dev.js\r\nVariation 2\r\nIn another variation, we observed the IIS Process Worker (w3wp.exe) invoking a command shell to execute a Base64-\r\nencoded PowerShell command shown below in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 9 of 19\n\nFigure 4. Base64-encoded PowerShell command seen in this variation.\r\nThe command noted in Figure 4 creates a file at\r\nC:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx and then decodes\r\nthe contents of the Base64 string contained at variable, $base64string, to the file. The spinstall0.aspx file is a web shell\r\nthat can execute various functions to retrieve ValidationKeys, DecryptionKeys and the CompatabilityMode of the\r\nserver, which are needed to forge ViewState Encryption keys.\r\nFigure 5 shows the content of the spinstall0.aspx file created by the command from Figure 4.\r\nFigure 5. Content of spinstall0.aspx.\r\nVariation 3\r\nThis variation is almost identical to Variation 2, but with a few minor differences:\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 10 of 19\n\nWriting the spinstall0.aspx file to the following path:\r\nC:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS\\spinstall0.aspx\r\nThe difference being the directory of 15 versus 16\r\nRenaming of variables to single characters\r\nCalling the sleep function at the end\r\nFigure 6 below shows an example of this variation.\r\nFigure 6. Variation 3 of the exploitation activity.\r\nInterim Guidance\r\nPalo Alto Networks and Unit 42 are working closely with the MSRC and recommend the following critical steps:\r\nContain the threat: Immediately disconnect vulnerable on-premises SharePoint servers from the internet until\r\nthey can be fully secured and remediated.\r\nPatch and harden: Apply all relevant security patches from Microsoft as they become available. Crucially, all\r\ncryptographic material must be rotated, and associated credentials must be reset.\r\nEngage professional incident response: A false sense of security can lead to prolonged exposure. We strongly\r\nurge affected organizations to engage a professional incident response team to conduct a thorough compromise\r\nassessment, hunt for established backdoors and ensure the threat is fully eradicated from the environment.\r\nPalo Alto Networks also recommends following Microsoft’s patching or mitigation guidance:\r\nCVE-2025-49704\r\nCVE-2025-49706\r\nCVE-2025-53770\r\nCVE-2025-53771\r\nSee Microsoft’s additional guidance for CVE-2025-53770 and CVE-2025-53771. Microsoft states that the update for\r\nCVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 11 of 19\n\n53771 includes more robust protections than the update for CVE-2025-49706.\r\nUpdate July 25, 2025: Microsoft recommends the following for machine key rotation.\r\n1. Apply Microsoft’s security update\r\n2. Rotate ASP.NET machine keys\r\n3. Restart the IIS web server\r\nUnit 42 Managed Threat Hunting Queries\r\nThe Unit 42 Managed Threat Hunting team continues to track any attempts to exploit these vulnerabilities across our\r\ncustomers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to\r\nsearch for signs of exploitation.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n// Note: This query will only work on agents 8.7 or higher\r\n// Description: This query leverages DotNet telemetry to identify references to ToolPane.exe, and extracts\r\nfields to provide additional context.\r\ndataset = xdr_data\r\n| fields _time, agent_hostname, actor_effective_username, actor_process_image_name,\r\nactor_process_image_path, actor_process_command_line, dynamic_event_string_map,\r\nevent_thread_context, event_type\r\n| filter event_type = ENUM.DOT_NET and actor_process_image_name = \"w3wp.exe\" and\r\nevent_thread_context contains \"ToolPane.aspx\"\r\n// Extract the IIS application pool name from command line\r\n| alter IIS_appName = arrayindex(regextract(actor_process_command_line, \"\\-ap\\s+\\\"([^\\\"]+)\\\"\"), 0)\r\n// Extract fields from the dynamic_string_string_map:\r\n// EventSrcIP - Logged IP address by the IIS server\r\n// RequestURI - The requested URL by the threat actor\r\n// Payload - time he decoded .NET payload from exploitation\r\n// Headers - HTTP request headers\r\n| alter EventSrcIP = trim(json_extract(dynamic_event_string_map, \"$.27\"), \"\\\"\"),\r\n        RequestURI = trim(json_extract(dynamic_event_string_map, \"$.26\"), \"\\\"\"),\r\n        Payload = trim(json_extract(dynamic_event_string_map, \"$.30\"), \"\\\"\"),\r\n        Headers = trim(json_extract(dynamic_event_string_map, \"$.32\"), \"\\\"\")\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 12 of 19\n\n20\r\n21\r\n22\r\n23\r\n// Extract the X-Forwarded-For headers from the Headers field in an attempt to identify the source of\r\nexploitation\r\n| alter x_forwarded_for_header = regextract(lowercase(Headers), \"\\|(?:client-ip|x-forwarded-for)\\:((?:25[0-\r\n5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(?:\\.(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3})\\|\")\r\n| fields _time, agent_hostname, actor_effective_username, actor_process_image_path,\r\nactor_process_command_line, IIS_appName, dynamic_event_string_map, event_thread_context, EventSrcIP,\r\nx_forwarded_for_header, RequestURI, Payload, Headers\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n// Description: This query identifies specific files being written to the observed file paths during exploitation.\r\nThis query may identify false-positive, legitimate files.\r\ndataset = xdr_data\r\n| fields _time, agent_hostname, causality_actor_process_image_name,\r\ncausality_actor_process_command_line, actor_process_image_name, actor_process_command_line,\r\naction_file_name, action_file_path, action_file_extension, action_file_sha256, event_type, event_sub_type\r\n| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_WRITE,\r\nENUM.FILE_CREATE_NEW) and lowercase(action_file_path) ~= \"web server extensions\\\\1[5-\r\n6]\\\\template\\\\layouts\" and lowercase(action_file_extension) in (\"asp\", \"aspx\", \"js\", \"txt\", \"css\")\r\n| filter lowercase(actor_process_image_name) in (\"powershell.exe\", \"cmd.exe\", \"w3wp.exe\")\r\n| comp values(action_file_name) as action_file_name, values(action_file_path) as action_file_path,\r\nvalues(actor_process_command_line) as actor_process_command_line by agent_hostname,\r\nactor_process_image_name addrawdata = true\r\n1\r\n2\r\n3\r\n4\r\n// Description: This query identifies the IIS Process Worker, w3wp invoking a command shell which executes\r\na base64 encodedPowerShell command. This is not specific to the CVE, and may catch potential other post-exploitation activity.\r\ndataset = xdr_data\r\n| fields _time, agent_hostname, causality_actor_process_image_name, actor_process_image_name,\r\nactor_process_command_line, action_process_image_name, action_process_image_command_line ,\r\nevent_type, event_sub_type\r\n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and\r\nlowercase(causality_actor_process_image_name) = \"w3wp.exe\" and lowercase(actor_process_image_name) =\r\n\"cmd.exe\" and lowercase(action_process_image_name) = \"powershell.exe\" and\r\naction_process_image_command_line  ~= \"(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|\r\n[A-Za-z0-9+\\/]{2}={2})\"\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 13 of 19\n\nConclusion\r\nBased on observations of in-the-wild exploitation and the ease and effectiveness of this exploit, Palo Alto Networks\r\nhighly recommends following Microsoft’s guidance to protect your organization. Palo Alto Networks and Unit 42 will\r\ncontinue to monitor the situation for updated information.\r\nPalo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use\r\nthis intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors.\r\nLearn more about the Cyber Threat Alliance.\r\nPalo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as\r\nmore relevant information becomes available.\r\nPalo Alto Networks Product Protections for Active Exploitation of Microsoft\r\nSharePoint Vulnerabilities\r\nPalo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against\r\nthis threat.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nNext-Generation Firewalls With Advanced Threat Prevention\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block CVE-2025-49704,\r\nCVE-2025-49706, CVE-2025-53770 and CVE-2025-53771 exploitation via the following Advanced Threat Prevention\r\nsignatures: 96481, 96436 and 96496.\r\nCloud-Delivered Security Services for the Next-Generation Firewall\r\nAdvanced URL Filtering and Advanced DNS Security identify known IP addresses associated with this activity as\r\nmalicious.\r\nCortex\r\nCortex has released a playbook as part of the Cortex Response and Remediation Pack.\r\nTriggered by a SharePoint “ToolShell” alert or a manual kick‑off, the playbook first fingerprints every SharePoint host\r\nvia a lightweight XQL query. It then hunts in parallel for:\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 14 of 19\n\nNewly written web shells on the disk\r\nTraffic logs for the CVE exploitation and web shell access\r\n.NET telemetry to pull attacker IPs and payloads\r\nIoCs that merge Unit 42 indicators with locally extracted data\r\nPre- and post-exploitation behavior\r\nAny confirmed indicators are automatically blocked.\r\nThe run closes by surfacing machine key rotation, the July 2025 patch links and a centralized view of threat hunting\r\nfindings.\r\nCortex Cloud\r\nCortex Cloud version 1.2 can find the vulnerabilities and block known exploitation activities related to the exploitation\r\nchain of CVE-2025-49704 and CVE-2025-49706 and report known exploitation activities related to the chain of CVE-2025-53770 and CVE-2025-53771.\r\nCortex XDR and XSIAM\r\nCortex XDR agents version 8.7 with content version 1880-20113 (or 1890-20101) will block known exploitation\r\nactivities related to the exploitation chain of both CVE-2025-49704, CVE-2025-49706 as well as CVE-2025-53770,\r\nCVE-2025-53771. Customers are advised to review the email sent to them by Product Management to ensure receiving\r\nsaid protection.\r\nCortex Xpanse\r\nCortex Xpanse has the ability to identify exposed SharePoint devices on the public internet and escalate these findings\r\nto defenders. Customers may also opt into Xpanse Attack Surface Testing, which allows customers to initiate an\r\nexternal vulnerability scan for CVE-2025-53770 across their exposed SharePoint servers. Customers can enable\r\nalerting internet-exposed SharePoint by ensuring that the SharePoint Server Attack Surface Rule is enabled. Identified\r\nfindings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are\r\nalso available for Cortex XSIAM customers who have purchased the ASM module.\r\nIndicators of Compromise\r\nTable 2 shows a list of indicators associated with SharePoint exploitation activity observed by Unit 42 and their\r\ndescription.\r\nIndicator Description\r\n107.191.58[.]76\r\nExploitation\r\nsource,\r\ndelivered\r\nspinstall0.aspx\r\n104.238.159[.]149 Exploitation\r\nsource,\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 15 of 19\n\ndelivered\r\nspinstall0.aspx\r\n96.9.125[.]147\r\nExploitation\r\nsource,\r\nmodules\r\nqlj22mpc and\r\nbjcloiyq\r\n139.144.199[.]41\r\nExploitation\r\nsource\r\n89.46.223[.]88\r\nExploitation\r\nsource\r\n45.77.155[.]170\r\nExploitation\r\nsource\r\n154.223.19[.]106\r\nExploitation\r\nsource\r\n185.197.248[.]131\r\nExploitation\r\nsource\r\n149.40.50[.]15\r\nExploitation\r\nsource\r\n64.176.50[.]109\r\nExploitation\r\nsource\r\n149.28.124[.]70\r\nExploitation\r\nsource\r\n206.166.251[.]228\r\nExploitation\r\nsource\r\n95.179.158[.]42\r\nExploitation\r\nsource\r\n86.48.9[.]38\r\nExploitation\r\nsource\r\n128.199.240[.]182\r\nExploitation\r\nsource\r\n212.125.27[.]102\r\nExploitation\r\nsource\r\n91.132.95[.]60\r\nExploitation\r\nsource\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 16 of 19\n\nC:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx\r\nFile created\r\nafter encoded\r\ncommand run\r\nC:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS\\spinstall0.aspx\r\nFile created\r\nafter encoded\r\ncommand run\r\nC:\\Program Files\\Common Files\\microsoft shared\\Web Server\r\nExtensions\\16\\TEMPLATE\\LAYOUTS\\debug_dev.js\r\nFile created\r\nafter\r\nPowerShell\r\ncommand run\r\n4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030\r\n.NET module\r\nqlj22mpc -\r\ninitial hash\r\nobserved\r\nB39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70\r\n.NET module\r\nbjcloiyq\r\nFA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7\r\n.NET module\r\n- targeting\r\nViewState\r\n390665BDD93A656F48C463BB6C11A4D45B7D5444BDD1D1F7A5879B0F6F9AAC7E .NET module\r\n66AF332CE5F93CE21D2FE408DFFD49D4AE31E364D6802FFF97D95ED593FF3082 .NET module\r\n7BAF220EB89F2A216FCB2D0E9AA021B2A10324F0641CAF8B7A9088E4E45BEC95 .NET module\r\n92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\r\nspinstall0.aspx\r\nwebshell\r\n33067028e35982c7b9fdcfe25eb4029463542451fdff454007832cf953feaf1e\r\n4L4MD4R\r\nransomware\r\nsample\r\nhxxps[:]//ice[.]theinnovationfactory[.]it/static/4l4md4r.exe\r\nURL for\r\n4L4MD4R\r\nransomware\r\ndownload and\r\nexecution\r\nbpp.theinnovationfactory[.]it\r\nC2 server for\r\n4L4MD4R\r\nransomware\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 17 of 19\n\n145.239.97[.]206\r\nC2 domain for\r\n4L4MD4R\r\nransomware\r\nTable 2. Indicators associated with SharePoint exploitation activity observed by Unit 42.\r\nAdditional Resources\r\nDisrupting active exploitation of on-premises SharePoint vulnerabilities – Microsoft Security\r\nUnit 42 Threat Briefing | Defending Against Active Microsoft SharePoint Exploits – Unit 42 Threat Briefing\r\nWebinar on BrightTALK\r\nUpdated July 21 at 7:00 p.m. ET to clarify chaining description.\r\nUpdated July 22 at 7:30 a.m. PT to add additional Palo Alto Networks product protections language and eight\r\nadditional indicators. \r\nUpdated July 22 at 11:30 a.m. PT to add additional Palo Alto Networks product protections language for Next\r\nGeneration Firewalls including Threat Prevention signatures. Also added new mitigation information from Microsoft\r\non machine key rotation. \r\nUpdated July 22 at 3:00 p.m. PT to update Table 1 including revised CVSS scores. Also updated the second Managed\r\nThreat Hunting query. \r\nUpdated July 24 at 7:15 a.m. PT to include product protections information for Cortex Cloud. Added Additional\r\nResources section. \r\nUpdated July 24 at 3:25 p.m. PT to update some language in Executive Summary, changing \"on-premises\" to \"self-hosted\" and \"cloud\" to \"SaaS.\" Updated Additional Resources. \r\nUpdated July 25 at 3:35 p.m. PT to add more information on attack scope, including graph of activity volume over\r\ntime. Added Cortex Playbook to Product Protections section as well as an additional Threat Prevention signature.\r\nUpdated Cortex XDR protections information. Updated advice from Microsoft on machine key rotation.\r\nUpdated July 29 at 4:00 p.m. PT with a significant update on threat group activity tracked as CL-CRI-1040 with some\r\nactivity overlapping with Storm-2603. Added details to Scope of Attack section including Initial Reconnaissance,\r\nPayloads Delivered, Targeting List and Attribution sections. Updated the Indicators of Compromise section and added\r\nan initial indicator.  \r\nUpdated July 31 at 3:30 p.m. PT with a significant update on 4L4MD4R ransomware delivered via exploitation of\r\nToolShell to the Scope of Attack section. Added related indicators to Indicators of Compromise section. \r\nUpdated August 12 at 5:00 p.m. PT to note that all four CVEs are covered with Advanced Threat Prevention.\r\nTable of Contents\r\nExecutive Summary\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 18 of 19\n\nDetails of the Vulnerabilities\r\nCurrent Scope of the Attack Using CVE-2025-49706, CVE-2025-49704, CVE-2025-53770 and CVE-2025-\r\n53771\r\nUpdate July 31, 2025 – Exploitation of ToolShell for Ransomware\r\nUpdate July 29, 2025 – Overlap of Activity With Storm-2603\r\nInitial Reconnaissance\r\nPayloads Delivered\r\nTargeting List\r\nAttribution\r\nActivity Timeline\r\nVariation 1\r\nVariation 2\r\nVariation 3\r\nInterim Guidance\r\nUnit 42 Managed Threat Hunting Queries\r\nConclusion\r\nPalo Alto Networks Product Protections for Active Exploitation of Microsoft SharePoint Vulnerabilities\r\nNext-Generation Firewalls With Advanced Threat Prevention\r\nCloud-Delivered Security Services for the Next-Generation Firewall\r\nCortex\r\nCortex Cloud\r\nCortex XDR and XSIAM\r\nCortex Xpanse\r\nIndicators of Compromise\r\nAdditional Resources\r\nRelated Articles\r\nMicrosoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated\r\nNovember 3)\r\nJingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign\r\nThreat Insights: Active Exploitation of Cisco ASA Zero Days\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nhttps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\r\nPage 19 of 19\n\nin the Scope Update July of Attack section. 29, 2025     \nUnit 42 telemetry captured CVe-2025-53770 exploitation attempts from July 17, 2025, 08:40 UTC, through July 22,\n2025, originating from threat activity tracked as CL-CRI-1040.   \nPre-exploitation vulnerability testing of SharePoint servers by CL-CRI-1040 IP addresses was observed starting July\n17, 2025, 06:58 UTC. A static targeting list of SharePoint servers is indicated by the exploitation attempt patterns.\nOne of the IP addresses exploiting CVe-2025-53770 as part of CL-CRI-1040 overlaps with the Storm-2603 cluster\ndiscussed by Microsoft. We are currently researching this cluster to gain further insight into the actors involved.\n   Page 1 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/"
	],
	"report_names": [
		"microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770"
	],
	"threat_actors": [
		{
			"id": "1c98eeb8-c867-4d83-83bd-afe64822c122",
			"created_at": "2025-08-20T02:04:43.136556Z",
			"updated_at": "2026-04-10T02:00:03.834617Z",
			"deleted_at": null,
			"main_name": "GOLD SALEM",
			"aliases": [
				"Storm-2603 ",
				"Warlock Group"
			],
			"source_name": "Secureworks:GOLD SALEM",
			"tools": [
				"AV Killer",
				"Babuk",
				"Cloudflared",
				"Everything",
				"Impacket",
				"LockBit",
				"Mimikatz",
				"PsExec",
				"Velociraptor",
				"Warlock"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7420db21-a401-4518-8eac-f27fcd5869ca",
			"created_at": "2025-07-24T02:00:03.054727Z",
			"updated_at": "2026-04-10T02:00:02.904838Z",
			"deleted_at": null,
			"main_name": "Storm-2603",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-2603",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434234,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a536edf20746a82a5a1ebc7812ee5964f383761.pdf",
		"text": "https://archive.orkl.eu/5a536edf20746a82a5a1ebc7812ee5964f383761.txt",
		"img": "https://archive.orkl.eu/5a536edf20746a82a5a1ebc7812ee5964f383761.jpg"
	}
}