Cortex XDR - CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain
This playbook should be triggered manually or can be configured as a job. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771, may be chained together, allowing unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint. ### Vulnerability Overview * **Platform Affected**: Microsoft SharePoint Server 2016 / 2019 / Subscription Edition * **CVE IDs**: * CVE-2025-49706 – Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. * CVE-2025-49704 – Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. * CVE-2025-53770 – Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. * CVE-2025-53771 – Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. * **CVSS Scores**: 7.1, 8.8, 9.8 ,7.1 * **Impact**:When chained together, they allow an attacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint. These flaws enable an attacker to: - Spoof authentication - Bypass security boundaries - Gain remote execution ### Mitigation & Recommendations * Apply Patches Immediately: * [CVE-2025-49706](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706) * [CVE-2025-49704](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704) * [CVE-2025-53770](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770) * [CVE-2025-53771](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771) * Harden SharePoint diagnostic/debug endpoints * Rotate SharePoint Server ASP.NET machine keys * Check IIS logs for suspicious activity * Disable/Isolate unnecessary SharePoint services or endpoints (at least until those servers are patched) --- ### References * [CVE-2025-49706 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49706) * [CVE-2025-49704 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49704) * [CVE-2025-53770 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53770) * [CVE-2025-53771 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53771) * [Microsoft Security Update – July 2025](https://msrc.microsoft.com/update-guide/) * [Unit42 Blog](https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/) --- ### How to trigger the playbook Triggered via: - Cortex XDR alerts: `"CVE Exploitation - 685768089"` or `"CVE Exploitation - 818854253"` or `"CVE Exploitation - 903162508"` - Manual creation of an alert with this playbook. --- ### Playbook Flow 1. Run XQL Queries to detect possible affected servers running Microsoft SharePoint. 2. Search for downloaded or created webshell files using XQL (especially for the known file name artifacts). 3. Run XQL on network events and XDR .net events to determine if there was any usage of the CVEs in the organization. 4. Check for malicious activity on the possible affected hosts for post-exploitation activities (such as running PowerShell encoded commands on the hosts) via additional alerts on the same host. 5. Retrieve IOCs from the Unit42 blog, hunt for those IOCs with XQL, and block malicious indicators. 6. Instruct the analyst on relevant response actions and mitigation steps. --- **Note:** This is a beta playbook. Updates to the pack during the beta phase might include non-backward-compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain · 76 tasks · 0 inputs · 0 outputs
Commands used
associateIndicatorsToIncident
closeInvestigation
createNewIndicator
extractIndicators
setIncident
xdr-xql-generic-query
xdr-xql-get-quota