We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Exploit:Script/SuspSignoutReq.A
Aliases: No associated aliases
Summary
Exploit:Script/SuspSignoutReq.A is a new malicious server-side script that is flagged by antivirus apps. It is an exploit that takes advantage of SharePoint authentication weaknesses CVE-2025-49706 (for spoofing) and CVE-2025-49704 (for remote code execution) to deliver web shells to the SharePoint server.
This exploit allowed for the command to run on SharePoint, which can be used for credential theft, deployment of ransomware, and remotely launching commands. Threat actors from Linen Typhoon and Violet Typhoon are behind this attack.
The vulnerabilities exploited by the script are patched under KB5002768 for SharePoint subscription edition, KB5002741 for SharePoint 2019, and KB5002744 for SharePoint 2016.
For more information and guidance from Microsoft, read the following:
Refer to the Mitigation and protection guidance in the Disrupting active exploitation of on-premises SharePoint vulnerabilities blog for details.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
