In July 2025, critical vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 affecting on-premises Microsoft SharePoint servers were actively exploited by China-based threat actors including Linen Typhoon, Violet Typhoon, and Storm-2603. AttackIQ released an assessment template to help organizations validate and improve their defenses against these evolving ToolShell vulnerability exploits. #ToolShell #LinenTyphoon #VioletTyphoon #Storm2603 #MicrosoftSharePoint
Keypoints
- CVE-2025-49704 and CVE-2025-49706 were initially disclosed by Viettel Cyber Security and addressed in Microsoft’s July 2025 Patch Tuesday release.
- The “ToolShell” attack chain enables unauthenticated access and arbitrary command execution against vulnerable SharePoint servers.
- Large-scale exploitation was confirmed from mid-July 2025, with new bypass variants CVE-2025-53770 and CVE-2025-53771 discovered shortly after initial patching.
- CISA issued alerts highlighting active exploitation and adversaries deploying webshells including .aspx, .exe, and .dll payloads.
- Threat actors Linen Typhoon, Violet Typhoon, and Storm-2603 exploited these vulnerabilities, with Storm-2603 deploying Warlock ransomware.
- AttackIQ created an emulation and assessment template compiling Tactics, Techniques, and Procedures (TTPs) to help validate security defenses against these vulnerabilities.
- Recommended mitigation includes patching, monitoring for ingress tool transfers, and prioritizing detection of key ATT&CK techniques linked to these exploits.
MITRE Techniques
- [T1059.001] Command and Scripting Interpreter: PowerShell – Attackers execute base64 encoded PowerShell commands using the -encodedCommand parameter. (“This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter.”)
- [T1053.005] Scheduled Task/Job – Persistence is achieved by creating scheduled tasks using the schtasks utility. (“This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.”)
- [T1003] OS Credential Dumping – Attackers use an obfuscated version of Mimikatz to dump credentials on the compromised system. (“This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes available on the compromised environment.”)
- [T1033] System Owner/User Discovery – The whoami command is executed to identify the user account running on the system. (“This scenario executes the whoami command to retrieve the username of the running user account.”)
- [T1047] Windows Management Instrumentation – Lateral movement is emulated via the WMI protocol using the Impacket utility for WMIEXEC. (“This scenario emulates the use of the Impacket utility to execute the WMIEXEC class, facilitating lateral movement via the WMI protocol.”)
- [T1105] Ingress Tool Transfer – Downloading malicious payloads to memory and disk to test detection and prevention capabilities. (“This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.”)
Indicators of Compromise
- [CVE Identifiers] Vulnerabilities in Microsoft SharePoint – CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771
- [File Names/Types] Payload types used by attackers – .aspx webshells, .exe and .dll files deployed during exploitation
- [Malware] Ransomware associated with exploitation – Warlock ransomware deployed by Storm-2603
Read more: https://www.attackiq.com/2025/07/30/microsoft-sharepoint-vulnerabilities/