CVE-2025-49704 and CVE-2025-49706 and CVE-2025-53770 and CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain
This Playbook is part of the Cortex Response And Remediation Pack.#
Supported versions
Supported Cortex XSOAR versions: 8.9.0 and later.
CVE-2025-49706 and CVE-2025-49704 and CVE-2025-53770 and CVE-2025-53771 โ Microsoft SharePoint Identity Spoofing & RCE Chain - ToolShell
CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771, may be chained together, allowing unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
Vulnerability Overview#
Platform Affected: Microsoft SharePoint Server 2016 / 2019 / Subscription Edition
CVE IDs:
- CVE-2025-49706 โ Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
- CVE-2025-49704 โ Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-53770 โ Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
- CVE-2025-53771 โ Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVSS Scores: 7.1, 8.8, 9.8 ,7.1
Impact:When chained together, they allow an attacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
These flaws enable an attacker to:
- Spoof authentication
- Bypass security boundaries
- Gain remote execution
Mitigation & Recommendations#
Apply Patches Immediately:
Harden SharePoint diagnostic/debug endpoints
Rotate SharePoint Server ASP.NET machine keys
Check IIS logs for suspicious activity
Disable/Isolate unnecessary SharePoint services or endpoints (at least until those servers are patched)
References#
- CVE-2025-49706 - NVD
- CVE-2025-49704 - NVD
- CVE-2025-53770 - NVD
- CVE-2025-53771 - NVD
- Microsoft Security Update โ July 2025
- Unit42 Blog
How to trigger the playbook#
Triggered via:
- Cortex XDR alerts:
"CVE Exploitation - 685768089"or"CVE Exploitation - 818854253"or"CVE Exploitation - 903162508" - Manual creation of an incident with this playbook.
Playbook Flow#
- Run XQL Queries to detect possible affected servers running Microsoft SharePoint.
- Search for downloaded or created webshell files using XQL (especially for the known file name artifacts).
- Run XQL on network events and XDR .net events to determine if there was any usage of the CVEs in the organization.
- Check for malicious activity on the possible affected hosts for post-exploitation activities (such as running PowerShell encoded commands on the hosts) via additional alerts on the same host.
- Retrieve IOCs from the Unit42 blog, hunt for those IOCs with XQL, and block malicious indicators.
- Instruct the analyst on relevant response actions and mitigation steps.
Note: This is a beta playbook. Updates to the pack during the beta phase might include non-backward-compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Containment Plan - Block Indicators
- Panorama Query Logs for Related Session
Integrations#
This playbook does not use any integrations.
Scripts#
- IsIntegrationAvailable
- ParseHTMLIndicators
- SearchAlertsV2
- SetAndHandleEmpty
Commands#
- associateIndicatorsToAlert
- closeInvestigation
- createNewIndicator
- extractIndicators
- setAlert
- xdr-xql-generic-query
- xdr-xql-get-quota
Playbook Inputs#
There are no inputs for this playbook.
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
