CISA Updates Alert on Actively Exploited Microsoft SharePoint Vulnerability Chain

CISA Updates Alert on Actively Exploited Microsoft SharePoint Vulnerability Chain

Active exploitation of a SharePoint vulnerability chain has prompted CISA to update its alert, adding urgency for enterprises still running on-premises SharePoint. The chain—tracked as CVE-2025-49704 and CVE-2025-49706—enables post-authentication code execution and rapid lateral movement, with observed follow-on activity ranging from data theft to ransomware deployment. This post breaks down what happened, how attackers are operating, and what defenders should do today.

Background

In late July and early August 2025, CISA updated its advisory and Known Exploited Vulnerabilities (KEV) catalog to include a SharePoint vulnerability chain affecting on-premises Microsoft SharePoint Server deployments. Multiple incident response teams reported real-world compromises of midsize and large enterprises across government, manufacturing, professional services, and healthcare sectors. Attribution remains mixed: some intrusions align with financially motivated actors that ultimately deploy ransomware, while others show tradecraft suggestive of espionage-focused groups prioritizing persistence and collection. The exploitation window appears to have started prior to public disclosure, with activity accelerating after proof-of-concept techniques were discussed in security circles and attacker infrastructure scaled up scanning for exposed SharePoint sites.

Technical Analysis

The exploitation chain centers on two CVEs that, when combined, allow an authenticated attacker to progress from limited SharePoint access to arbitrary code execution on the underlying server. While precise implementation details vary by SharePoint version and configuration, observed attack flows share several characteristics:

1) Initial Access (Authenticated foothold): Attackers obtain valid SharePoint credentials through phishing, password spraying against externally exposed login portals, or reuse of credentials from previous breaches. In some cases, attackers leveraged service accounts with broader-than-necessary permissions.

2) Vulnerability Class and Chain Behavior:
- CVE-2025-49704: A post-authentication vulnerability affecting SharePoint’s application pages or service endpoints that insufficiently validate or sanitize user-controlled parameters. This enables the attacker to upload, reference, or route to crafted payloads within SharePoint-managed content (e.g., lists, document libraries, or add-in components). The weakness resembles an access control and validation flaw that permits abuse of internal APIs or serialization pathways.
- CVE-2025-49706: A follow-on condition in the request processing pipeline that can be triggered by the state established in 49704, leading to server-side code execution. In practice, the chain culminates in execution under the SharePoint application pool identity (often a privileged service account), enabling file writes and command execution on the host.

3) Attack Vector in the Wild: After authentication, adversaries interact with SharePoint endpoints to plant a loader (often via a crafted .aspx page or a malicious web part) or to coerce backend deserialization paths that load attacker-controlled objects. The payload typically stages a lightweight web shell for command execution, file transfer, and credential access.

4) Post-Exploitation Behavior: Once web shell access is established, threat actors commonly:
- Enumerate the farm topology and service accounts.
- Dump LSASS or use comsvcs.dll/Procdump for credential access where EDR is weak.
- Use PowerShell remoting, WMI, or PsExec for lateral movement.
- Stage C2 beacons (e.g., HTTP/S over 443) and deploy tooling under SharePoint or IIS directories.
- For financial actors: pivot to high-value shares and deploy ransomware; for espionage actors: exfiltrate SharePoint content, SharePoint Search indexes, and file shares via compressed archives or cloud sync abuse.

Indicators observed include anomalous uploads to SharePoint-managed paths, unexpected .aspx files under web application content directories, spikes in w3wp.exe spawning cmd.exe or powershell.exe, and suspicious modifications to web.config or the Global Assembly Cache (GAC) in advanced cases.

Impact & Implications

Any organization running on-premises Microsoft SharePoint with external exposure faces elevated risk, especially those with hybrid identity, legacy service accounts, or weak MFA coverage. Because the chain requires authentication at some stage, environments with stale credentials, insufficient lockout policies, or permissive service account usage are disproportionately at risk. The downstream effects are severe: SharePoint often contains sensitive documents, knowledge bases, and credentials baked into automation. Once the SharePoint application pool identity is compromised, lateral movement to domain resources, file servers, and backup infrastructure is common. From a strategic perspective, the incidents highlight two recurring patterns: attackers increasingly rely on post-auth flaws to bypass well-patched pre-auth surfaces, and they exploit the complexity of collaboration platforms to persist in plain sight under normal administrative processes.

Defensive Recommendations

1) Patch and Validate Configuration:
- Apply Microsoft’s latest cumulative updates and security fixes for SharePoint immediately, ensuring both CVE-2025-49704 and CVE-2025-49706 are addressed.
- Review SharePoint farm topology, verify the least privilege for the application pool identity, and rotate credentials for service accounts involved in SharePoint and IIS.

2) Reduce Exposure and Harden Auth:
- Limit external exposure of SharePoint management endpoints; place administrative interfaces behind VPN or Zero Trust access. Enforce MFA for all SharePoint users, including service and privileged accounts where applicable (use app tokens/managed identities rather than passwords).
- Implement conditional access policies and IP allowlists for administrative roles.

3) Detect and Respond:
- Hunt for anomalous .aspx files or web parts in SharePoint content directories and IIS virtual directories. Validate integrity of web.config and look for recent, unexpected changes.
- Telemetry to watch: w3wp.exe spawning cmd.exe, powershell.exe, regsvr32.exe, rundll32.exe; new scheduled tasks or services owned by the SharePoint app pool identity; outbound connections from SharePoint servers to unfamiliar domains.
- Query logs for unusual uploads to SharePoint libraries shortly before execution events. Correlate with IIS logs for rare user agents, large POSTs, or spikes in 500/404 followed by 200 responses during probing phases.
- If compromise is suspected: isolate the server, acquire forensic images, reset and rotate credentials (including KRBTGT if domain compromise is indicated), and rebuild from known-good media.

4) Prevent Lateral Movement and Impact:
- Apply credential hygiene: disable interactive logon for service accounts, enable Protected Users/Authentication Policies, and enforce LSASS protection where supported.
- Segment SharePoint from Tier 0 assets; restrict outbound egress from SharePoint servers to only required destinations.
- Ensure immutable/offline backups and test restoration workflows. Monitor for mass file operations indicative of ransomware staging.

5) Governance and Monitoring Enhancements:
- Establish continuous configuration assessment for SharePoint farms. Instrument EDR with rules specifically targeting web shell behaviors under IIS and SharePoint paths.
- Subscribe to CISA KEV updates and vendor guidance for SharePoint; track exploit maturity and adapt controls accordingly.

Conclusion

The updated CISA alert underscores a broader industry shift: attackers are increasingly chaining post-authentication flaws to achieve reliable server-side execution in collaboration platforms. For security teams, the response must combine prompt patching, hardened authentication, and precise monitoring of IIS and SharePoint runtime behaviors. Treat exposed SharePoint servers as high-value assets, constrain their privileges, and assume determined adversaries will test for gaps after every advisory. If you operate on-prem SharePoint, patch now, audit for web shells, rotate credentials, and tighten perimeter and identity controls before the next wave of exploitation.