Urgent cyber warnings have been issued as a critical zero-day vulnerability in Microsoft SharePoint Server, dubbed “ToolShell,” is actively being exploited by threat actors in the wild.
This serious flaw has allowed attackers to gain persistent, unauthorized access to compromised systems, prompting Microsoft and cybersecurity agencies to urge immediate action from organizations globally.
What is SharePoint?
Microsoft SharePoint is a web-based collaborative platform that integrates with Microsoft Office. It is primarily used for document management and storage. SharePoint allows teams to create websites to share information, manage documents, and publish reports, making it a crucial tool for many businesses for internal communication, content management, and business intelligence.
Keys:
- Vulnerability: CVE-2025-53770 (with a critical CVSS score of 9.8) and CVE-2025-53771.
- Name: Dubbed “ToolShell.”
- Status: Zero-day actively exploited in the wild.
- Initial Patch Availability: No patch initially available (though patches were released subsequently).
Impact:
- Threat Actors: Observed by Google Threat Intelligence Group, Eye Security, and Palo Alto Networks Unit42.
- Exploitation: Used to install webshells and exfiltrate cryptographic secrets.
- Consequences: Leads to persistent, unauthenticated access, posing significant risk to affected organizations. Dozens of systems were already compromised.
Patch Application:
Microsoft has released emergency updates for SharePoint Subscription Edition and SharePoint 2019. Organizations should apply these patches immediately. Patches for SharePoint 2016 are still pending.
Security Measures:
- Immediate Mitigation: Microsoft recommended configuring AMSI integration in SharePoint.
- Endpoint Protection: Deploying Defender AV on all SharePoint servers.
- Investigation: Organizations are advised to assume compromise, investigate past system integrity, and take remediation actions.
More Important Points:
The ‘ToolShell’ vulnerabilities are variants of previously patched flaws (CVE-2025-49706 and CVE-2025-49704) that were demonstrated at a hacking competition in May.
Threat actors managed to bypass Microsoft’s initial patches, leading to the assignment of the new CVEs (CVE-2025-53770 and CVE-2025-53771) for more robust protections.
The cybersecurity agency CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, urging government organizations to address it promptly.
While initial reports suggested both new CVEs were being chained, Eye Security has clarified that they have not observed active exploitation of CVE-2025-53771 (or its variant CVE-2025-49706) in their customer environments.
These vulnerabilities exclusively affect on-premises SharePoint Servers.
