Microsoft recently issued critical security patches for its on-premises SharePoint Servers, addressing an actively exploited remote code execution vulnerability (CVE-2025-53770) and disclosing details of another spoofing flaw (CVE-2025-53771). The tech giant explicitly stated its awareness of active attacks targeting on-premises SharePoint customers through these vulnerabilities, which stem from issues like the deserialization of untrusted data. These flaws, along with two related ones (CVE-2025-49704 and CVE-2025-49706), can be chained together in an exploit dubbed “ToolShell” to achieve remote code execution, highlighting the severe risk posed to vulnerable systems.
The exploited vulnerabilities specifically impact on-premises SharePoint Server versions, including SharePoint Server 2019, SharePoint Enterprise Server 2016, and SharePoint Server Subscription Edition; SharePoint Online in Microsoft 365 is not affected. To mitigate these threats, Microsoft strongly recommends that customers use supported versions of SharePoint, apply the latest security updates, ensure Antimalware Scan Interface (AMSI) is enabled in Full Mode, and deploy robust antivirus solutions like Microsoft Defender for Endpoint.
Crucially, after applying updates or enabling AMSI, organizations must rotate SharePoint Server ASP.NET machine keys and restart IIS on all SharePoint servers to fully address the vulnerabilities.
The urgency of these patches is underscored by the widespread exploitation already observed. Eye Security has reported that at least 54 organizations, including banks, universities, and government entities, have been compromised, with active exploitation commencing around July 18, 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating that Federal Civilian Executive Branch agencies apply fixes by July 21, 2025, reflecting the immediate and severe threat this vulnerability poses.
Further emphasizing the gravity of the situation, Palo Alto Networks Unit 42 has characterized this as a “high-impact, ongoing threat campaign” affecting government, schools, healthcare, and large enterprise companies.
Attackers are reportedly bypassing identity controls like MFA and SSO to gain privileged access, exfiltrate sensitive data, deploy persistent backdoors, and steal cryptographic keys. Michael Sikorski of Unit 42 warned that organizations with internet-exposed on-premises SharePoint should assume they have already been compromised, and patching alone may not be sufficient for full eviction of the threat.
Given SharePoint’s deep integration with other Microsoft services, a compromise can open the door to an entire network, making the threat particularly concerning. Palo Alto Networks Unit 42 advises organizations to immediately apply patches, rotate all cryptographic material, and engage in incident response efforts. As an immediate, temporary measure, disconnecting Microsoft SharePoint from the internet until a patch is confirmed to be fully effective was suggested to prevent further compromise and avoid a false sense of security that could lead to prolonged exposure.
Reference:
