Date: 07/21/2025
Severity: High
Summary
Active exploitation of Microsoft SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 has been observed. These flaws allow unauthenticated attackers to bypass restrictions and, when chained, can lead to arbitrary command execution on affected SharePoint Server 2016 and 2019 systems. Current attack activity includes: Deploying malicious ASPX payloads through PowerShell
Extracting machine keys for persistent access, Targeting organizations across the globe. The team urges immediate patching and adherence to Microsoft’s security guidance for these vulnerabilities. These are real-world, high-risk threats requiring urgent action.
Indicators of Compromise (IOC) List
IP Address : | 96.9.125.147 |
Hash : | 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
B39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70
fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
IP Address : | dstipaddress IN ("96.9.125.147") or srcipaddress IN ("96.9.125.147") |
Hash : | sha256hash In ("
4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030","B39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70","fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt