Urgent: Active Exploitation of SharePoint Vulnerability – What You need to Know Now (CVE-2025-53770)
A critical vulnerability affecting on-premises SharePoint servers is currently under active exploitation, prompting urgent warnings from the Cybersecurity and Infrastructure Security Agency (CISA) and security researchers.This isn’t a theoretical threat; U.S.federal agencies along with organizations in Canada and Australia have already been breached. This article provides a extensive overview of the situation,detailing the risks,affected systems,and crucial steps you need to take to protect your organization.
Crucial Note: Microsoft 365 environments are not affected by this vulnerability. This impacts solely on-premises SharePoint Server deployments.
What’s Happening? A Deep Dive
Security researchers at Eye Security first detected large-scale exploitation of the flaw (CVE-2025-53770) on July 18, 2025. Attackers are gaining access to vulnerable servers and installing a backdoor called ”ToolShell“. This backdoor grants them unauthenticated, remote access, allowing them to:
Fully access sharepoint content, including sensitive files and internal configurations.
Execute code across your network.
Steal crucial ASP.NET machine keys, enabling further, potentially delayed attacks.The Washington post’s reporting confirms the severity,highlighting breaches at multiple U.S. federal agencies. This underscores the real-world impact and the need for immediate action.
Which SharePoint Versions Are Affected?
The following sharepoint Server versions are currently confirmed to be vulnerable:
SharePoint Server subscription Edition
SharePoint Server 2019 (Updates are available – see below)
SharePoint Server 2016 (Updates are in progress)
Microsoft has released updates for sharepoint Server subscription Edition and SharePoint Server 2019. Though, patching alone isn’t enough, as detailed below.
Why Patching Isn’t Enough: The ASP.NET Machine Key Risk
Eye Security’s research emphasizes a critical point: attackers are specifically targeting SharePoint server ASP.NET machine keys. These keys,if compromised,can be used to facilitate future attacks,even after you’ve applied the patch.
Therefore, you must:
- Rotate your SharePoint server ASP.NET machine keys.
- Restart IIS on all SharePoint servers.
This proactive step significantly reduces the risk of long-term compromise.
Immediate Mitigation Steps – What You Need to Do Now
CISA strongly recommends the following actions to mitigate the risk:
Enable the Anti-Malware Scan Interface (AMSI) in SharePoint. This helps detect and block malicious code.
Deploy Microsoft Defender AV on all SharePoint servers. Ensure your antivirus solution is up-to-date.
Disconnect affected products from the public-facing Internet. This is a temporary but crucial measure until a full patch can be implemented.
These steps will limit the attack surface and provide a critical layer of defense.
Understanding the Complex History: Related Vulnerabilities
This vulnerability isn’t isolated. It’s linked to a series of previous weaknesses discovered and exploited:
CVE-2025-49704: Patched earlier this month,this vulnerability was part of an exploit chain demonstrated at the Pwn2Own hacking competition.
CVE-2025-49706: Microsoft attempted to address this vulnerability in the recent Patch Tuesday, but the fix proved insufficient.
CVE-2025-53771: A related SharePoint vulnerability for which Microsoft has issued a patch.While no active attacks are currently observed, patching is recommended for enhanced protection.Rapid7’s analysis highlights the interconnectedness of these vulnerabilities, emphasizing the need for a comprehensive security approach.
Staying Informed & Resources
This is a rapidly evolving situation. Here are key resources to stay informed:
* CISA Advisory: [https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-sharepoint-servers-under-active-exploitation](https://www.cisa.gov/news-events/alerts/2025/07/20/