CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain v1.0.0

CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain Response Playbook

Author:
Cortex XSOAR
Support:
xsoar
URL:
https://www.paloaltonetworks.com/cortex
Case Management

README

CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771, may be chained together, allowing unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint.

Vulnerability Overview

  • Platform Affected: Microsoft SharePoint Server 2016 / 2019 / Subscription Edition
  • CVE IDs:
    • CVE-2025-49706 – Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
    • CVE-2025-49704 – Improper control of generation of code (‘code injection’) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    • CVE-2025-53770 – Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
    • CVE-2025-53771 – Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
  • CVSS Scores: 7.1, 8.8, 9.8 ,7.1

  • Impact:When chained together, they allow an attacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint.

These flaws enable an attacker to:

  • Spoof authentication
  • Bypass security boundaries
  • Gain remote execution

Mitigation & Recommendations

  • Apply Patches Immediately:
  • Harden SharePoint diagnostic/debug endpoints
  • Rotate SharePoint Server ASP.NET machine keys
  • Check IIS logs for suspicious activity
  • Disable/Isolate unnecessary SharePoint services or endpoints (at least until those servers are patched)

References