- Apply the necessary security updates released by Microsoft.
- Configure Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploy Microsoft Defender AV on all SharePoint servers.
- If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
- Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, relevant to the SharePoint platform deployed in their environment.
- Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the IIS web server.
- Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.
- Monitor for POSTs to
/_layouts/15/ToolPane.aspx?<wbr />DisplayMode=Edit - Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19.
- Update intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
- Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
- Audit and minimize layout and admin privileges.
Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov <wbr />with any questions. Also, for more background on our recent cybersecurity efforts, please visit cyber.nj.gov.
