Microsoft customers are urged to take immediate action against ongoing cyberattacks exploiting a critical zero-day vulnerability, CVE-2025-53770, in SharePoint Server. The vulnerability allows unauthenticated remote code execution due to improper deserialization of untrusted data. Attackers are leveraging this to install web shells and steal cryptographic keys, maintaining persistent access.
The vulnerability, with a CVSS score of 9.8, impacts on-premises SharePoint Server versions 2016, 2019, and Subscription Edition. Microsoft is preparing an update to resolve the issue. In the interim, enabling Antimalware Scan Interface (AMSI) integration and deploying Defender AV on SharePoint servers is advised. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert regarding the active exploitation of this vulnerability.
This exploit, dubbed 'ToolShell', is a variant of previously patched vulnerabilities. Attackers are exploiting how SharePoint deserializes untrusted objects, enabling command execution before authentication. Stolen machine keys are then used to forge trusted payloads for persistence and lateral movement, blending in with legitimate SharePoint activity.
Subscribe for Weekly Updates
Stay ahead with our weekly AI and tech briefings, delivered every Tuesday.
