CISA has released a Malware Analysis Report (MAR) detailing threats linked to recent Microsoft SharePoint vulnerabilities, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Threat actors have exploited CVE-2025-49704 and CVE-2025-49706 in a known attack chain dubbed “ToolShell” to gain unauthorized access to on-premises SharePoint servers. The malware analyzed includes two malicious Dynamic Link Library files, a cryptographic key stealer, and three web shells, all capable of stealing encryption keys and running Base64-encoded PowerShell commands for system fingerprinting and data exfiltration. CISA previously added these vulnerabilities to its Known Exploited Vulnerabilities Catalog in July 2025 and urges organizations to review the MAR for indicators of compromise and detection signatures to protect their environments. For more details, refer to the Malware Analysis Report.