CISA issues Malware Analysis Report on SharePoint vulnerabilities

CISA has issued a Malware Analysis Report detailing detection signatures and analysis of files linked to Microsoft SharePoint vulnerabilities.

Vulnerability Details

The report identifies several vulnerabilities: CVE-2025-49704, classified as CWE-94: Code Injection; CVE-2025-49706, described as CWE-287: Improper Authentication; CVE-2025-53770, relating to CWE-502: Deserialization of Untrusted Data; and CVE-2025-53771, also linked to CWE-287.

Malware Analysis and Exploit Chain

Cyber threat actors have utilized CVE-2025-49704 and CVE-2025-49706 in an exploit chain known as “ToolShell” to gain unauthorized access to SharePoint servers. CISA’s analysis included six files, encompassing two Dynamic Link Libraries, one key stealer, and three web shells, indicating that threat actors could misuse this malware to extract cryptographic keys and execute commands to exfiltrate data.

Recommendations and Resources

CISA has listed CVE-2025-49704 and CVE-2025-49706 in its Known Exploited Vulnerabilities (KEV) Catalog as of July 22 and July 20, 2025, respectively. Organizations are advised to utilize the Indicators of Compromise (IOC) and detection signatures provided in the MAR to identify potential malware incursions.

For additional insights and downloadable files associated with the malware, including JSON and YAML formats for detection rules, consult the report on CISA's website.

Conclusion

This Malware Analysis Report offers crucial information on recent vulnerabilities affecting Microsoft SharePoint. It serves as a valuable resource for IT security professionals in mitigating potential threats.

Vulnerability Details

Malware Analysis and Exploit Chain

Recommendations and Resources

Conclusion

CVE-2025-8036: DNS Rebinding and CORS Exploits

CISA stops updating Siemens ICS security advisories

CISA halts Siemens ICS advisories; SQL vulnerability identified