Microsoft has released an official guide to mitigate ongoing attacks targeting a zero-day vulnerability in on-premises SharePoint Servers, while SharePoint Online in Microsoft 365 is not impacted.
Tracked as CVE-2025-53770, security researchers from Eye Security shared their findings that this vulnerability is a variant of CVE-2025-49706, which Microsoft already addressed in the July 2025 Patch Tuesday. Additionally, the attack chain is a combination of two vulnerabilities, CVE-2025-49706 and CVE-2025-49704, which security researchers from Code White GmbH dubbed “ToolShell.”
As of the time of writing, different security solution providers have provided their insights into the malicious campaign targeting the critical vulnerability. Microsoft attributed the attack to two malicious threat actors named Linen Typhoon and Violet Typhoon. Additional indicators of compromise are available in Section C.
_____________________________
A. Nature of the Vulnerability
CVE-2025-53770
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
_____________________________
B. Nature of the Attack
ToolShell
Based on the attack chain (CVE-2025-49706 and CVE-2025-49704), dubbed ToolShell, attackers are able to access cryptographic keys stored in memory or configuration. Once these cryptographic secrets are retrieved, they can craft fully valid and signed __VIEWSTATE payloads.
_____________________________
C. Indicators of Compromise (IoCs)
| IP Address | 107.191.58[.]76 |
| IP Address | 96.9.125[.]147 |
| IP Address | 104.238.159[.]149 |
| IP Address | 103.186.30[.]186 |
| SHA-256 | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 |
| SHA-256 | 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030 |
| SHA-256 | b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70 |
| SHA-256 | fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7 |
| Post Request | /_layouts/15/ToolPane.aspx?DisplayMode=Edit |
| IP Address | 131.226.2[.]6 |
| IP Address | 134.199.202[.]205 |
| IP Address | 104.238.159[.]149 |
| IP Address | 188.130.206[.]168 |
| IP Address | 139.144.199[.]41 |
| IP Address | 89.46.223[.]88 |
| IP Address | 45.77.155[.]170 |
| IP Address | 154.223.19[.]106 |
| IP Address | 185.197.248[.]131 |
| IP Address | 149.40.50[.]15 |
| IP Address | 64.176.50[.]109 |
| IP Address | 149.28.124[.]70 |
| IP Address | 206.166.251[.]228 |
| IP Address | 95.179.158[.]42 |
| IP Address | 86.48.9[.]38 |
| IP Address | 128.199.240[.]182 |
| IP Address | 212.125.27[.]102 |
| IP Address | 91.132.95[.]60 |
| SHA-256 | 390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e |
| SHA-256 | 66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082 |
| SHA-256 | 7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95 |
| SHA-256 | d50a7f142a53a8d2358137e74901e093e19047b66f42216163b91f26460d329b |
| SHA-256 | 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2 |
| URL | c34718cbb4c6.ngrok-free[.]app/file.ps1 |
_____________________________
D. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Proactively monitor logs and network traffic on identified systems and devices for any suspicious or malicious activities.
- Indicators of compromise are included in this report to support threat hunting and blocking purposes
- For additional information, kindly refer to the official report
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://research.eye.security/sharepoint-under-siege/
- https://nvd.nist.gov/vuln/detail/CVE-2025-53770
- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
- https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/