Critical Microsoft SharePoint Zero-Day vulnerabilities — now confirmed to be exploited in real-world attacks — was originally discovered and responsibly disclosed by Viettel Cyber Security (VCS).
SharePoint software is commonly used by global businesses and organizations to store and collaborate on documents.These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. This vulnerability chain enables threat actors to bypass authentication mechanisms, upload webshells, and remotely execute malicious code without prior access. Critically, if attackers succeed in extracting the ValidationKey and DecryptionKey, they may be able to retain persistent control over the system — even after security patches have been applied
The timeline
On May 16, 2025, at Pwn2Own Berlin 2025, our researcher Dinh Ho Anh Khoa – a member of VCS’s elite research team – successfully chained an authentication bypass with an insecure deserialization bug to gain unauthorized access in SharePoint. The exploit then earned him $100,000 from the Pwn2Own organizer and later became CVE-2025-49704 and CVE-2025-49706.
These findings were uncovered by VCS’s elite research team as part of an ongoing effort to proactively identify high-risk flaws before threat actors can weaponize them. The vulnerabilities were immediately reported to Microsoft and Trend Micro’s Zero Day Initiative (ZDI) – the Pwn2Own organizer – through responsible disclosure programs, in full alignment with global standards.
1,5 months later on July 8, 2025, Microsoft released patches for CVE-2025-49704 and CVE-2025-49706 as part of the July 2025 Patch Tuesday security update.Shortly after that, Viettel Cyber Security Threat Intelligence had issued an early warning regarding critical vulnerabilities addressed and guidance to help reduce exposure and strengthen defenses for our customers.
On July 19, 2025, according to Microsoft, there are active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update. These exploit was later named CVE-2025-53770 and CVE-2025-53771. Microsoft also released an security updates that “ that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771”
Following Microsoft’s official disclosure, it has been confirmed that these vulnerabilities are now being actively exploited at scale. The exploitation has been observed on servers that have not yet applied Microsoft’s Patch Tuesday update. Immediate action is strongly recommended to prevent potential compromise and protect critical infrastructure.
Viettel Cyber Security recommends actions and detailed technical analysis of vulnerabilities
This is not the first time VCS has reported critical vulnerabilities to major global technology companies through ZDI. Over the years, VCS has responsibly disclosed multiple high-impact security flaws in products from Microsoft, Oracle, HP, Canon, Synology, QNAP Systems, Nvidia, etc, — helping them patch issues before they could be weaponized.
At Viettel Cyber Security, our top priority is clear: to defend the ecosystem and against real-world threats. By sharing what we know, we aim to strengthen the entire security community, help organizations understand the vulnerability and take action to stop attackers.
Viettel Cyber Security has released the guideline to protect against CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771, including prevention strategies, detection patterns and threat hunting techniques here
We recommend that organizations immediately take the following actions to prevent risks from the vulnerability chain:
For End-of-Life SharePoint Versions (No Security Patches Available – SharePoint 2010, 2013):
To help organizations detect ToolShell-related attacks early, Viettel Cyber Security recommends organizations should implement multi-layered monitoring, including IDS/IPS, WAF, EDR, and system log analysis. Security teams should also check for signs of compromise to assess whether a SharePoint environment has been breached. Full detection and threat hunting guidelines are provided in our technical report.
The researcher, Dinh Ho Anh Khoa, also published a detailed technical blog regarding the vulnerabilities CVE-2025-49706 & CVE-2025-49704 for informational purposes. Please check his findings here.
