Microsoft has began releasing emergency SharePoint Server updates to patch a few zero-days which were exploited in latest days towards susceptible cases.
Exploitation of the vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771 and dubbed ‘ToolShell’, seems to have began on July 18, in accordance with Eye Safety, whose researchers have been the primary to warn organizations about assaults.
Microsoft shortly confirmed in-the-wild exploitation and shared mitigations whereas it scrambled to develop patches. Late on Sunday, the tech large introduced safety updates that ought to repair the vulnerabilities in SharePoint Subscription Version and SharePoint 2019. Patches for SharePoint 2016 are pending.
CVE-2025-53770 and CVE-2025-53771 solely influence on-premises SharePoint Servers. The failings may be chained for unauthenticated, distant code execution.
In assaults noticed by Eye Safety and Google’s Risk Intelligence Group, the attackers planted a webshell and exfiltrated cryptographic secrets and techniques that enabled them to achieve full entry to compromised methods.
Web scans performed by Eye Safety confirmed dozens of SharePoint servers hacked by way of a ToolShell assault.
The non-profit cybersecurity group ShadowServer reported seeing over 9,000 internet-exposed cases of SharePoint, a majority in North America and Europe. It’s unclear what number of of them are susceptible to assaults.
CVE-2025-53770 and CVE-2025-53771 are variants of CVE-2025-49706 and CVE-2025-49704, which safety researchers from Viettel demonstrated in Might on the Pwn2Own Berlin hacking competitors.Commercial. Scroll to proceed studying.
Microsoft fastened CVE-2025-49706 and CVE-2025-49704 with its July 2025 Patch Tuesday updates. A number of days later, researchers at Code White reproduced the exploit chain, which they dubbed ToolShell, exhibiting how it may be executed with only one request by an unauthenticated attacker.
It seems risk actors managed to bypass Microsoft’s patches for CVE-2025-49706 and CVE-2025-49704, and have began launching assaults towards susceptible SharePoint servers.
In response, Microsoft printed new advisories and assigned new CVEs: CVE-2025-53770, whose patch ought to embody “extra strong protections” than the patch for CVE-2025-49704, and CVE-2025-53771, whose patch ought to present higher protections than the one for CVE-2025-49706.
On the time of writing, Microsoft’s advisory for CVE-2025-53771 doesn’t point out energetic exploitation. SecurityWeek is making an attempt to acquire clarifications concerning the exploitation of this flaw from Microsoft.
Palo Alto Networks over the weekend reported seeing exploitation of CVE-2025-49704 and CVE-2025-49706 towards targets worldwide. Nevertheless, its advisory was launched earlier than Microsoft introduced new CVE identifiers, suggesting that these are the identical because the assaults seen by others.
The cybersecurity company CISA has added CVE-2025-53770 to its KEV catalog and instructed authorities organizations to right away handle it. The company has additionally issued its personal alert summarizing the out there data and mitigations.
Organizations that can’t instantly apply the out there patches — or the SharePoint variations they’re utilizing are but to have been patched — are suggested to allow the Antimalware Scan Interface (AMSI) integration in SharePoint and set it to ‘Full Mode’.
As a result of the cryptographic keys focused in these assaults could already be compromised by the point updates or mitigations are deployed, Microsoft recommends rotating them after updates or mitigations are utilized.
Associated: Fortinet FortiWeb Flaw Exploited within the Wild After PoC Publication
Associated: Exploited CrushFTP Zero-Day Offers Admin Entry to Servers
Associated: CitrixBleed 2: 100 Organizations Hacked, 1000’s of Situations Nonetheless Susceptible
