A newly discovered and actively exploited vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, poses a serious risk to organizations using on-premises SharePoint servers. This vulnerability allows attackers to remotely execute code without authentication, potentially giving them full access to your SharePoint environment.
This issue affects only on-premises versions of SharePoint, including SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition. Microsoft SharePoint Online is not impacted.
The exploit, referred to as “ToolShell,” has been observed in real-world attacks targeting sectors such as government, education, and energy. Attackers are using this vulnerability to gain unauthorized access, deploy malicious tools, and exfiltrate sensitive data.
What You Should Do Immediately
- Install the July 2025 Security Updates released by Microsoft for all affected SharePoint versions.
- Enable the Antimalware Scan Interface and ensure Microsoft Defender Antivirus is active and up to date.
- Rotate your machine keys used in the SharePoint configuration to prevent reuse by attackers.
- Review your SharePoint logs for suspicious activity, especially unusual requests to /ToolPane.aspx?DisplayMode=Edit.
If your organization cannot apply the update immediately, consider isolating the affected servers from the internet and restricting access to trusted users only.
Resources for Further Guidance
- Microsoft Security Blog: SharePoint Vulnerability Guidance
- Cybersecurity and Infrastructure Security Agency Alert
- Krebs on Security: SharePoint Zero-Day Analysis
Final Thoughts
This is a critical security issue that requires immediate attention. Delaying action could leave your organization vulnerable to data breaches and operational disruption. Stay proactive, stay protected.