Microsoft released patches for CVE-2025-49706 and CVE-2025-49704, but the implementation was incomplete, allowing attackers to exploit vulnerabilities. Attackers infect systems with webshell backdoors to access SharePoint Server’s sensitive areas, eventually extracting tokens and gaining administrative privileges despite security measures. Once they breach the system, they can exfiltrate data and install additional backdoors for ongoing access. It's crucial for on-premises SharePoint server maintainers to install the necessary patches and thoroughly check for signs of compromise since symptoms are often minimal.
The attackers first infect vulnerable systems with a webshell-based backdoor that gains access to sensitive parts of a SharePoint Server.
The webshell extracts tokens and other credentials that allow the attackers to gain administrative privileges, even with multifactor authentication.
Once inside, the attackers exfiltrate sensitive data and deploy additional backdoors that provide persistent access for future use.
Patching the vulnerability is only the first step since infected systems show few or no signs of compromise.
Collection
[
|
...
]