Cortex XDR - CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain

This playbook should be triggered manually or can be configured as a job. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771, may be chained together, allowing unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint. ### Vulnerability Overview * **Platform Affected**: Microsoft SharePoint Server 2016 / 2019 / Subscription Edition * **CVE IDs**: * CVE-2025-49706 – Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. * CVE-2025-49704 – Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. * CVE-2025-53770 – Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. * CVE-2025-53771 – Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. * **CVSS Scores**: 7.1, 8.8, 9.8 ,7.1 * **Impact**:When chained together, they allow an attacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint. These flaws enable an attacker to: - Spoof authentication - Bypass security boundaries - Gain remote execution ### Mitigation & Recommendations * Apply Patches Immediately: * [CVE-2025-49706](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706) * [CVE-2025-49704](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704) * [CVE-2025-53770](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770) * [CVE-2025-53771](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771) * Harden SharePoint diagnostic/debug endpoints * Rotate SharePoint Server ASP.NET machine keys * Check IIS logs for suspicious activity * Disable/Isolate unnecessary SharePoint services or endpoints (at least until those servers are patched) --- ### References * [CVE-2025-49706 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49706) * [CVE-2025-49704 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49704) * [CVE-2025-53770 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53770) * [CVE-2025-53771 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53771) * [Microsoft Security Update – July 2025](https://msrc.microsoft.com/update-guide/) * [Unit42 Blog](https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/) --- ### How to trigger the playbook Triggered via: - Cortex XDR alerts: `"CVE Exploitation - 685768089"` or `"CVE Exploitation - 818854253"` or `"CVE Exploitation - 903162508"` - Manual creation of an alert with this playbook. --- ### Playbook Flow 1. Run XQL Queries to detect possible affected servers running Microsoft SharePoint. 2. Search for downloaded or created webshell files using XQL (especially for the known file name artifacts). 3. Run XQL on network events and XDR .net events to determine if there was any usage of the CVEs in the organization. 4. Check for malicious activity on the possible affected hosts for post-exploitation activities (such as running PowerShell encoded commands on the hosts) via additional alerts on the same host. 5. Retrieve IOCs from the Unit42 blog, hunt for those IOCs with XQL, and block malicious indicators. 6. Instruct the analyst on relevant response actions and mitigation steps. --- **Note:** This is a beta playbook. Updates to the pack during the beta phase might include non-backward-compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain · 76 tasks · 0 inputs · 0 outputs

Commands used

associateIndicatorsToIncident closeInvestigation createNewIndicator extractIndicators setIncident xdr-xql-generic-query xdr-xql-get-quota

Flowchart

#error# no yes yes yes No Yes yes yes yes yes #error# yes yes yes yes #error# yes yes yes #error# yes yes yes #error# yes yes yes yes Start Start XQL Query - Search for any SharePoint servers that might be vulnerable - xdr-xql-generic-query XQL Query - Search for an... xdr-xql-generic-query Manual – Search possible hosts Manual – Search possible ... Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Any results from XQL? Any results from XQL? Check XQL Quota - xdr-xql-get-quota Check XQL Quota xdr-xql-get-quota Is there enough quota? Is there enough quota? XQL: Identify SharePoint Instances XQL: Identify SharePoint ... Investigation Investigation Hunt For IOCs Hunt For IOCs Anlysis Endpoints Anlysis Endpoints Collect Indicators Collect Indicators Extract indicators from collected data - extractIndicators Extract indicators from c... extractIndicators Tag and Link Indicators Tag and Link Indicators Tag IP Indicators - createNewIndicator Tag IP Indicators createNewIndicator Tag CVE Indicators - createNewIndicator Tag CVE Indicators createNewIndicator Extract Indicators Extract Indicators Remediation Remediation Mitigation Mitigation Analysis Resolution - Should continue with the investigation? Analysis Resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Link Indicators to Alert - associateIndicatorsToIncident Link Indicators to Alert associateIndicatorsToIncident Tag File Indicators - createNewIndicator Tag File Indicators createNewIndicator Threat Hunting Threat Hunting Are there any SharePoint hosts? Are there any SharePoint ... Web Shell XQL Hunt Web Shell XQL Hunt XQL Query - Search possible web shells - xdr-xql-generic-query XQL Query - Search possib... xdr-xql-generic-query Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Check XQL Quota - xdr-xql-get-quota Check XQL Quota xdr-xql-get-quota Is there enough quota? Is there enough quota? Manual – Search web shells using XQL query and quarantine the files Manual – Search web shell... Mitigation Actions Mitigation Actions Set agent IDs to alert context - setIncident Set agent IDs to alert co... setIncident Are there any suspicious findings? Are there any suspicious... Set Potential File Paths - SetAndHandleEmpty Set Potential File Paths SetAndHandleEmpty Manual Actions - Analyst attention required Manual Actions - Analyst ... Finished Analysis Finished Analysis Any results from threat hunting? Any results from threat h... Review Threat Hunting Results Review Threat Hunting Res... Any results from the manual XQL? Any results from the manu... Set Agent IDs to Alert Context - setIncident Set Agent IDs to Alert Co... setIncident XQL Query - IOCs Hunt - xdr-xql-generic-query XQL Query - IOCs Hunt xdr-xql-generic-query Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Any results from XQL? Any results from XQL? Check XQL Quota - xdr-xql-get-quota Check XQL Quota xdr-xql-get-quota Is there enough quota? Is there enough quota? Set Context key on Found IOCs - SetAndHandleEmpty Set Context key on Found ... SetAndHandleEmpty Exploitation via Network Events Exploitation via Network ... XQL Query - Network Events - xdr-xql-generic-query XQL Query - Network Events xdr-xql-generic-query Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Any results from XQL? Any results from XQL? Check XQL Quota - xdr-xql-get-quota Check XQL Quota xdr-xql-get-quota Is there enough quota? Is there enough quota? Set Found Exploit Activity - SetAndHandleEmpty Set Found Exploit Activity SetAndHandleEmpty Manual – Search For IOCs Manual – Search For IOCs Manual – Check for exploitation in your environment Manual – Check for exploi... Collect Indicators from Unit42 Blog - ParseHTMLIndicators Collect Indicators from U... ParseHTMLIndicators Exploitation via .Net Telemetry Exploitation via .Net Tel... XQL Query - .Net Telemetry - xdr-xql-generic-query XQL Query - .Net Telemetry xdr-xql-generic-query Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Any results from XQL? Any results from XQL? Check XQL Quota - xdr-xql-get-quota Check XQL Quota xdr-xql-get-quota Is there enough quota? Is there enough quota? Set Found Exploit Activity - SetAndHandleEmpty Set Found Exploit Activity SetAndHandleEmpty Manual – Check for exploitation in your environment Manual – Check for exploi... Set Potential Agent IDs to search on - SetAndHandleEmpty Set Potential Agent IDs t... SetAndHandleEmpty Search For Related Alerts On Hosts Search For Related Alerts... Search For Related Alerts On Hosts - SearchIncidentsV2 Search For Related Alerts... SearchIncidentsV2 Any related alerts found? Any related alerts found? Set Evidence Key To context - SetAndHandleEmpty Set Evidence Key To context SetAndHandleEmpty Panorama Query Logs for Related Session - Panorama Query Logs Panorama Query Logs for R... Panorama Query Logs Set Potential Agent IDs to search on - SetAndHandleEmpty Set Potential Agent IDs t... SetAndHandleEmpty Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3