On July 22, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added two Microsoft SharePoint Flaws, CVE-2025-49704 and CVE-2025-49706, to its known available vulnerabilities (KEV) catalog, based on evidence of active exploitation.
Therefore, a Federal Civil Enforcement Division (FCEB) agency is required to fix the vulnerabilities identified by July 23, 2025.
“CISA recognizes the aggressive exploitation of spoofing and RCE vulnerability chains, including CVE-2025-49706 and CVE-2025-49704, allowing unauthorized access to on-premises SharePoint servers.”
The inclusion of two drawbacks to the KEV catalog, the spoofing vulnerabilities and the remote code execution vulnerabilities, came after Microsoft revealed that Chinese hacking groups such as Linen Typhoon and Violet Typhoon had exploited these flaws to violate SharePoint Servers since July 7, 2025.
At the time of writing, Tech Giant’s own advisory lists only CVE-2025-53770 as being misused in the wild. Furthermore, it explains the four defects as follows:
CVE-2025-49704 – SharePoint Remote Code Execution CVE-2025-49706 – SharePoint Post-Auth Remote Code Execution CVE-2025-53770 – SharePoint Tool Shell Authentication Bypass and Remote Code Execution CVE-2025-53771
The fact that CVE-2025-53770 is both an authentication bypass and a remote code execution bug indicates that CVE-2025-53771 is not required to build an Exploit chain. CVE-2025-53770 and CVE-2025-53771 are rated as patch bypasses for CVE-2025-49704 and CVE-2025-49706, respectively.
“The root cause [of CVE-2025-53770] Akamai Security Intelligence Group said:
When we reached comments on the exploitation status of CVE-2025-53771 and other flaws, a Microsoft spokesperson told Hacker News that the information published in the recommendation was correct “at the time of its original publication” and that post-release releases would not be updated.
“Microsoft is also supporting CISA with a known exploited vulnerability catalog.
As Watchtowr Labs told the publication, the development internally devised a method to utilize CVE-2025-53770, and bypassed the mitigation step, Antimalware Scan Interface (AMSI) to alleviate the mitigation step that Microsoft said was called.
“This allowed us to continue identifying vulnerable systems even after mitigation like AMSI was applied,” said Watchtowr CEO Benjamin Harris. “AMSI was never a silver bullet, and this outcome was inevitable. However, I’ve heard that some organizations have chosen to “enable AMSI” instead of patching it. This is a very bad idea. ”
“It’s naive to think that, now, exploitation is linked to national state actors, but somehow you can’t bypass AMSI. Not to mention the organization, I believe that all POCs will cause AMSI and organizations will be misleading.
Source link
