Critical SharePoint Vulnerabilities Under Active Exploitation

By Jeffrey Sman, Mo Cashman and Marc Bolz Robinson · July 23, 2025

On-premises Microsoft SharePoint servers are currently facing high-impact, ongoing threat activity due to a set of critical vulnerabilities, notably CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. These vulnerabilities, including deserialization of untrusted data and improper control of code generation, can be chained together by unauthenticated threat actors to access restricted functionality and execute arbitrary commands on vulnerable instances. This exploit, publicly known as the "ToolShell" campaign, allows attackers to bypass identity controls such as multi-factor authentication (MFA) and single sign-on (SSO).

Attack methodology and persistent access

Once privileged access is gained, threat actors have been observed exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The theft of these keys is particularly concerning as it enables attackers to forge malicious ViewState¹ payloads for continued remote code execution and persistence, even after patches are applied. This mechanism allows for persistent access even if the initial webshell or access path is removed or blocked, as attackers can re-enter the environment using these indistinguishable signed payloads.

Widespread impact and timeline

The deep integration of SharePoint with other Microsoft services, such as Office, Teams, OneDrive, and Outlook, means that a compromise of SharePoint can provide access to the entire network. This situation is evolving rapidly, with widespread active exploitation observed as early as July 17, 2025, affecting various sectors, including government, education, healthcare, and large enterprise organizations. This led to CVE-2025-53770 being added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025.

Patching and remediation requirements

While security updates for CVE-2025-53770 and CVE-2025-53771 have been released and should be applied immediately to all supported versions of on-premises SharePoint, applying patches alone is insufficient to fully evict the threat and prevent attackers from maintaining access. Due to the nature of the compromise, rotating cryptographic material and engaging professional incident response services are critical additional steps for complete remediation.

Trellix product protection recommendations

In addition to installing relevant patches, Trellix solutions can protect against attempted exploitation and keep you updated with the latest threat intelligence. We recommend the following immediate actions.

• Trellix Endpoint Security. If you’re using Trellix Endpoint Security today to protect your SharePoint servers, you can enable Exploit Prevention Rule 6195 in logging mode to monitor for suspicious activity. It is recommended to observe telemetry and create exceptions before enabling any rule to blocking mode. This rule logs or blocks attempts by Internet Information Services (IIS) worker processes to run unauthorized programs. Additionally, ensure that antimalware scan interface (AMSI) scanning and ATP Rules are enabled to detect unknown file execution. This may indicate exploitation or post-exploitation activity.
• Trellix Network Detection and Response. If using Trellix IPS today to protect your servers, Trellix released UDS-HTTP: Microsoft SharePoint Remote Code Execution (CVE-2025-53770) in blocking mode by default to prevent remote exploitation attempts. It’s available on the Thrive Portal.
• Trellix EDR with Forensics (EDRF). Specific detection content is under development; however, proactive detection and telemetry is available for post-exploitation techniques. For example Powershell, Network, Process, Account and File manipulation telemetry is proactively traced in EDRF.
• Trellix Insights. If using Insights today, the portal is up-to-date with operational intelligence such as exploitation campaigns, attack prevalence, and indicators of compromise. You can connect Insights to Trellix EDR to search for related indicators and export intelligence to third-party systems for additional monitoring. If you are not using Trellix Insights, you can access some data here.
• Trellix Security for SharePoint and IVX Server. Additional signature and signature-less malware detection solutions are available to scan for malicious content within SharePoint and other collaboration systems. Malicious content could be uploaded post-exploitation for persistence or detonation at another time.

Trellix Professional Services support

Trellix Professional Services can assist clients with implementing and reviewing Trellix product configurations, as well as conducting security posture assessments. Our Health Watch services provide comprehensive optimization analysis of Trellix technologies within your environment. Additionally, Trellix Guardians delivers technology-agnostic information security services, including digital forensics and incident response, threat intelligence, and threat hunting capabilities.

References

• Customer guidance for SharePoint vulnerability CVE-2025-53770
• SharePoint 0-day uncovered (CVE-2025-53770)