July 22, 2025

ACTION MAY BE REQUIRED by utilities using impacted on-premises Microsoft SharePoint Server.

Today, Microsoft shared additional information regarding the active exploitation of on-premises SharePoint Server vulnerabilities and CISA released an update to their alert to correct the actively exploited Common Vulnerabilities and Exposures (CVEs), which have been confirmed as CVE-2025-49706, a network spoofing vulnerability, and CVE-2025-49704, a remote code execution (RCE) vulnerability.

Microsoft has observed three Chinese-affiliated threat actors, exploiting these vulnerabilities targeting internet-facing SharePoint servers. Two are nation-state actors known as Linen Typhoon and Violet Typhoon. Investigations into additional threat actors exploiting these vulnerabilities remain ongoing. Microsoft assesses with high confidence that threat actors will continue to integrate these exploits into their attacks against unpatched on-premises SharePoint systems.

These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.

These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706. 

July 21, 2025

ACTION MAY BE REQUIRED by utilities using impacted on-premises Microsoft SharePoint Server.

Summary: Due to reports of active exploitation, utilities that use Microsoft SharePoint Server on-premises are urged to review this advisory and the guidance from CISA and Microsoft to address high-severity vulnerabilities in SharePoint Server. This may require utilities that outsource technology support to consult with their service providers for assistance with remediation actions.

What Happened

Microsoft has released emergency patches for two high-severity zero-day vulnerabilities in Microsoft SharePoint Server that are under active exploitation. Both CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.3) are being chained together by attackers, allowing full access to SharePoint content. The exploit chain, being called “ToolShell” by researchers, are variants of CVE-2025-49704 and CVE-2025-49706 respectively, which were addressed in Microsoft’s July updates.

• CVE-2025-53770 is a deserialization of untrusted data vulnerability in SharePoint. Successful exploitation allows threat actors to execute arbitrary code over the network. 
• CVE-2025-53771 is a path traversal vulnerability in SharePoint. Successful exploitation allows threat actors to conduct network-based spoofing attacks.

Yesterday, CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, and has released an additional alert to draw awareness and provide mitigation guidance for these vulnerabilities. CISA has indicated that the “ToolShell” exploitations provide unauthorized access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. 

Why it Matters

“ToolShell” can be exploited with public internet access unlike typical SharePoint exploits which require compromised credentials or other insider access. This significantly lowers the barrier for attackers, leading to increased attacks globally due to ease of exploitation.

Although WaterISAC is unaware if any water or wastewater systems have been impacted by this vulnerability at this time, threat intelligence researchers have said hundreds of organizations across government, education, and critical infrastructure have already been impacted globally.

Mitigation Recommendations

WaterISAC urges members to review available information and address accordingly, which could include applying the patches for CVE-2025-53770 and CVE-2025-53771 provided by Microsoft. Due to mass exploitation, all organizations should assume that their SharePoint systems have been compromised if they were exposed to the internet before the patches were applied. SharePoint servers should be reviewed for signs of compromise by checking system logs for suspicious activity. If a successful exploit is suspected, immediately begin your incident response process. 

See CISA’s recommended mitigations for additional guidance. For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.

Additional Resources

• Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) | CISA
• CISA Adds One Known Exploited Vulnerability, CVE-2025-53770 “ToolShell,” to Catalog | CISA
• CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation | Tenable
• Mass attack spree hits Microsoft SharePoint zero-day defect | CyberScoop
• SharePoint 0-day uncovered (CVE-2025-53770) | Eye Security

Incident Reporting

WaterISAC encourages any members who have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.