Cybersecurity organizations Microsoft and CISA issue alerts about digital assaults specifically aimed at on-site SharePoint servers.
In a recent development, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) are working together to notify potentially impacted entities about recommended mitigations for a critical vulnerability in Microsoft SharePoint servers. Dubbed ToolShell (CVE-2025-53770), this vulnerability was first made public by Microsoft, and it has since been actively exploited in the wild.
The ToolShell vulnerability is a variant of CVE-2025-49706 and involves deserialization of untrusted data. This critical remote code execution vulnerability can allow a malicious adversary to gain full access to SharePoint content, potentially compromising sensitive data.
To address this urgent threat, Microsoft has released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771. It is highly recommended that organizations apply these patches promptly to close the vulnerability and associated authentication bypass.
However, given the active exploitation of the ToolShell vulnerability, organizations running internet-exposed on-premises SharePoint should assume potential compromise. Consequently, a comprehensive incident investigation and remediation are necessary.
In addition to patching, there are several other recommended mitigations:
- Use Web Application Firewalls (WAF) with updated rules. Cloudflare and Fastly provide WAF rules that can detect and block exploitation attempts, providing an extra layer of protection.
- Restrict internet exposure of SharePoint servers if possible by isolating them behind secure networks or VPNs. This reduces the attack surface and exposure to reconnaissance and exploitation attempts.
- Monitor for indicators of compromise such as unusual POST requests, suspicious ASPX implants, and attempts to extract cryptographic keys.
- Harden overall security postures for SharePoint servers by reviewing authentication and authorization configurations, disabling unnecessary features, and following security best practices.
Moreover, Microsoft was made aware of the exploitation by a trusted partner and immediately took action. The Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations with on-premise Microsoft SharePoint servers to rapidly implement these mitigations.
Organizations like Shadowserver, watchTowr, Eye Security, and Google's Threat Intelligence Group are also actively involved in tracking and notifying affected customers. Researchers have reported that hackers have already breached dozens of vulnerable systems in at least two attack waves, and exploitation may have begun as early as July 16.
It's important to note that Charles Carmakal, CTO of Mandiant Consulting - Google Cloud, assesses that at least one of the actors responsible for early exploitation is a China-nexus threat actor. Carmakal warns that multiple actors are actively exploiting the vulnerability, and additional hackers with diverse motives are likely to engage in similar activity.
In summary, rapid patching combined with active detection, restricting internet accessibility, and layered defenses like WAF rules constitute the recommended mitigations against the critical ToolShell vulnerability in Microsoft SharePoint servers. Organizations are strongly advised to implement these measures to protect their sensitive data from potential exploitation.
[1] Microsoft Security Response Center Blog Post: https://msrc-blog.microsoft.com/2025/07/20/msrc-blog-post-july-20-2025-security-updates-for-sharepoint-and-onedrive-for-business/ [2] CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities [3] Microsoft Security Blog: https://techcommunity.microsoft.com/t5/microsoft-security-blog/july-2025-security-updates-for-microsoft-sharepoint-and-onedrive/ba-p/3974668 [4] CISA Alert: https://us-cert.cisa.gov/ncas/alerts/aa25-325a
- The ToolShell vulnerability, a critical remote code execution vulnerability in Microsoft SharePoint servers, has been actively exploited and is a variant of CVE-2025-49706, involving deserialization of untrusted data.
- Given the active exploitation, organizations with internet-exposed on-premises SharePoint servers should assume potential compromise and conduct comprehensive incident investigation and remediation.
- To protect sensitive data, organizations should not only apply the patches Microsoft released for CVE-2025-53770 and CVE-2025-53771 promptly, but also employ additional measures such as using Web Application Firewalls (WAF), restricting internet exposure, monitoring for indicators of compromise, and hardening overall security postures for SharePoint servers.
- With hackers already breaching dozens of vulnerable systems, it is essential for organizations to act quickly and implement these mitigations, as advised by Microsoft, the Cybersecurity and Infrastructure Security Agency (CISA), and various threat intelligence groups.
