Microsoft has recently addressed two critical vulnerabilities, CVE-2025-49706 and CVE-2025-49704, part of their monthly update cycle. However, reports from over the weekend have revealed that the patches were insufficient, leaving organizations vulnerable to new types of cyberattacks.
The primary targets of these attacks are organizations using SharePoint servers. The initial method of compromise involves attackers deploying a webshell-based backdoor on susceptible systems, allowing unrestricted access to sensitive components of SharePoint. Once entrenched, these attackers extract tokens and credentials, enabling them to escalate privileges—even bypassing protections like multifactor authentication and single sign-on. This unauthorized access is subsequently exploited to exfiltrate sensitive data and implant additional backdoors, creating avenues for future exploitation.
The attack’s initiation revolves around POST web requests directed at the ToolPane endpoint of the SharePoint server. A crafted request may upload a malicious script, often named spinstall0.aspx, among others. This script is designed to extract the encrypted MachineKey configuration from the server, sending the decrypted data back to the attackers via a GET request.
For organizations managing on-premises SharePoint servers, immediate action is essential. The first step is to verify whether emergency patches from Microsoft have been applied. If not, swift installation is necessary to mitigate the risks associated with these vulnerabilities. However, merely patching the systems does not conclude the response.
Attackers leveraging this vulnerability often leave minimal traces, making it critical to scrutinize system event logs for indicators of compromise. Various analyses and reports from credible cybersecurity sources can assist organizations in identifying potential signs of infiltration.
In terms of threat tactics, this attack can be mapped to several categories from the MITRE ATT&CK framework. Initial access may involve the exploitation of flaws to introduce malicious payloads. Persistence could be established through backdoor implants to maintain access. Additionally, privilege escalation tactics are evident, as attackers retrieve sensitive credentials to elevate their control within the environment.
Overall, organizations must exercise a heightened vigilance, combining immediate patching with thorough audits of their systems to protect against these sophisticated attack vectors. The implications of these vulnerabilities extend beyond immediate data theft; they potentially set the stage for more severe security breaches if left unaddressed.
