Microsoft SharePoint Hit by Zero-Day Attack, One Version Remains Vulnerable

July 22, 2025 — Microsoft has issued an urgent warning to SharePoint Server customers following a wave of cyberattacks exploiting a critical zero-day vulnerability, identified as CVE-2025-53770, in its on-premises SharePoint software. The flaw, which allows unauthenticated attackers to execute remote code and access file systems, has compromised dozens of organizations worldwide, including U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm. While emergency patches have been released for two versions of the software, SharePoint Server 2016 remains vulnerable, leaving organizations at risk.

Details of the Attack

The vulnerability, dubbed “ToolShell,” was first identified by Dutch cybersecurity firm Eye Security on July 18, 2025, after detecting suspicious activity tied to a malicious .aspx file. The flaw, with a CVSS score of 9.8, is a variant of CVE-2025-49706, an authentication bypass vulnerability, and is related to CVE-2025-49704, a code injection bug partially addressed in Microsoft’s July 2025 Patch Tuesday updates. Attackers have exploited these vulnerabilities to deploy backdoors, steal cryptographic keys, and exfiltrate sensitive data, with potential for lateral movement across networks to services like Outlook, Teams, and OneDrive.

Eye Security reported that over 8,000 SharePoint servers were scanned, with at least 54 organizations confirmed compromised, including banks, government entities, and healthcare institutions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog, urging federal agencies to apply mitigations by July 21, 2025, and recommending that all organizations assume compromise and initiate threat hunting.

Microsoft’s Response and Patches

Microsoft issued emergency security updates on July 20, 2025, for SharePoint Server Subscription Edition and SharePoint Server 2019, addressing both CVE-2025-53770 and a related flaw, CVE-2025-53771. The updates include:

• KB5002754 and KB5002753 for SharePoint Server 2019 Core and Language Pack.
• KB5002768 for SharePoint Server Subscription Edition.

However, SharePoint Server 2016 remains unpatched, with Microsoft actively working on a fix. The company advises affected users to disconnect vulnerable servers from the internet until a patch is available. Additionally, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) and deploying Microsoft Defender Antivirus on all SharePoint servers to block exploitation. Post-patch, administrators must rotate ASP.NET machine keys and restart IIS to prevent attackers from using stolen keys to regain access.

Impact and Risks

The attack’s scope is significant, with Palo Alto Networks’ Unit 42 estimating that thousands of organizations globally may be affected, particularly those in government, education, healthcare, and large enterprises. The vulnerability’s severity stems from its ability to allow unauthenticated access, enabling attackers to install persistent backdoors like ToolShell, which survives reboots and updates. This connectivity to core services heightens the risk of data theft, password harvesting, and network-wide compromise.

CISA and security experts emphasize the urgency of action, noting that the flaw’s exploitation began shortly after technical details from a Pwn2Own Berlin 2025 demonstration were shared, allowing attackers to craft new exploits. Michael Sikorski, CTO of Unit 42, warned, “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised.”

Recommendations for Organizations

Microsoft and CISA have outlined immediate steps for affected organizations:

• Apply Patches: Install the latest security updates for SharePoint Server 2019 and Subscription Edition.
• Mitigate Unpatched Systems: For SharePoint Server 2016, enable AMSI and deploy Defender Antivirus, or disconnect servers from the internet.
• Rotate Keys: After patching, rotate ASP.NET machine keys and restart IIS to invalidate stolen cryptographic keys.
• Threat Hunting: Check logs for indicators like POST requests to /_layouts/15/ToolPane.aspx with a referer of /_layouts/SignOut.aspx, or the presence of spinstall0.aspx files, which signal exploitation.

Organizations are also advised to monitor for IP addresses associated with the attacks (107.191.58.76, 104.238.159.149, 96.9.125.147) and engage professional incident response services if compromise is suspected.

Broader Context

This incident follows a series of high-profile Microsoft security breaches, including a 2023 Chinese hack of Exchange email servers and a 2024 cloud-based email attack. Critics, including a 2024 White House Cyber Safety Review Board report, have faulted Microsoft for inadequate security practices. The SharePoint attack underscores the challenges of securing on-premises systems and the need for rapid response to zero-day exploits.

As Microsoft works on a patch for SharePoint Server 2016, organizations must act swiftly to mitigate risks. CISA’s Acting Executive Assistant Director for Cybersecurity, Chris Butera, praised the collaboration between researchers, Microsoft, and federal agencies, stating, “This is an important example of operational collaboration in action for homeland and national security.” For now, vigilance and proactive measures are critical to safeguarding SharePoint environments.