Exploit:Script/SuspSignoutReqBody.A is an exploit targeting on-premises SharePoint Server vulnerabilities, specifically CVE-2025-53770 (a critical de-serialization vulnerability) and CVE-2025-49704 (remote code execution). The malware allows unauthenticated threat actors to launch arbitrary code on unpatched versions of SharePoint that take advantage of these software vulnerabilities, including the deployment of web shells, stealing sensitive credentials, and spreading ransomware.

Threat actors such as Linen Typhoon and Violet Typhoon are behind this attack.

The vulnerabilities exploited by the script are patched under KB5002768 for SharePoint subscription edition, KB5002741 for SharePoint 2019, and KB5002744 for SharePoint 2016.

For more information and guidance from Microsoft, read the following:

• Disrupting active exploitation of on-premises SharePoint vulnerabilities