UgCERT is aware of an active exploitation of a newly identified remote code execution (RCE) vulnerability CVE-2025-53770 targeting on-premise Microsoft SharePoint servers. This vulnerability is a variant of the previously reported CVE-2025-49706 and is currently being exploited in the wild under the campaign name “ToolShell.”
The exploit allows unauthenticated attackers to gain full access to SharePoint servers, including file systems and internal configurations, with the ability to execute malicious code remotely. The full scope and impact are still being assessed, but the potential risk to organizations is significant.
Recommended Mitigation Steps
To reduce the risk posed by this RCE vulnerability, organizations are advised to take the following actions:
- Enable AMSI in SharePoint and ensure Microsoft Defender Antivirus is deployed on all SharePoint servers.
- If AMSI cannot be enabled, temporarily disconnect affected, internet-facing servers until official mitigations are made available. Apply all mitigations promptly once released, following Microsoft guidance.
- Comply with BOD 22-01 requirements for cloud services or consider discontinuing use of the product if no mitigation is available.
- Review Microsoft’s guidance related to SharePoint vulnerabilities, including advisories published on July 8, 2025, and particularly those for CVE-2025-49706.
- Monitor for suspicious activity such as POST requests to: /layouts/15/ToolPane.aspx?DisplayMode=Edit
- Scan for known malicious IP addresses associated with this activity:
107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147—especially traffic observed between July 18–19, 2025. - Update IPS and WAF rules to detect and block exploit patterns and anomalous behavior. Refer to CISA’s guidance on SIEM and SOAR implementation.
- Implement detailed logging for threat detection. CISA’s best practices for event logging provide a solid framework for identifying potential exploitation.
- Regularly audit and restrict layout and admin privileges across SharePoint deployments.
Organizations using on-premise SharePoint platforms are urged to act swiftly in applying the above recommendations to minimize exposure and strengthen defenses.