CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain v1.0.0
CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain Response Playbook
- Author:
- Cortex XSOAR
- Support:
- xsoar
Case Management
README
CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771, may be chained together, allowing unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
Vulnerability Overview
- Platform Affected: Microsoft SharePoint Server 2016 / 2019 / Subscription Edition
- CVE IDs:
- CVE-2025-49706 – Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
- CVE-2025-49704 – Improper control of generation of code (‘code injection’) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-53770 – Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
- CVE-2025-53771 – Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
-
CVSS Scores: 7.1, 8.8, 9.8 ,7.1
- Impact:When chained together, they allow an attacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
These flaws enable an attacker to:
- Spoof authentication
- Bypass security boundaries
- Gain remote execution
Mitigation & Recommendations
- Apply Patches Immediately:
- Harden SharePoint diagnostic/debug endpoints
- Rotate SharePoint Server ASP.NET machine keys
- Check IIS logs for suspicious activity
- Disable/Isolate unnecessary SharePoint services or endpoints (at least until those servers are patched)