**Name of the Vulnerable Software and Affected Versions:**

Microsoft SharePoint Server, Microsoft SharePoint Server Subscription Edition, Microsoft Office SharePoint (affected versions not specified)

**Description:**

An improper authentication vulnerability exists in Microsoft SharePoint, allowing an unauthorized attacker to perform spoofing over a network. Exploitation of this issue can allow an attacker to view sensitive information and make changes to disclosed information. Multiple China-based groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are actively exploiting this vulnerability, along with others (CVE-2025-49704, CVE-2025-53770, CVE-2025-53771), to target global government, military, and corporate sectors. The exploitation involves a technique called "ToolShell," which chains multiple vulnerabilities to bypass authentication, drop a web shell, extract cryptographic keys, and execute arbitrary commands. The "ToolShell" campaign has compromised over 85 servers as of July 20, 2025, and over 400 organizations globally, including US agencies. The vulnerability is related to a logic flaw in SharePoint’s authentication checks, where a crafted `Referrer` header matching a sign-out page can bypass security.

**Recommendations:**

Apply the latest security updates released by Microsoft.

Isolate any unpatched SharePoint servers.

Rotate Machine Keys to mitigate potential persistence after exploitation.

Scan systems for Indicators of Compromise (IOCs) related to this vulnerability.

Consider temporarily disabling the vulnerable component `ToolPane.aspx` as a workaround.