SharePoint Under Active Attack

SharePoint Under Active Attack

21 July 2025

Microsoft customers are urged to take immediate action against ongoing cyberattacks exploiting a critical zero-day vulnerability, CVE-2025-53770, in SharePoint Server. The vulnerability allows unauthenticated remote code execution due to improper deserialization of untrusted data. Attackers are leveraging this to install web shells and steal cryptographic keys, maintaining persistent access.

The vulnerability, with a CVSS score of 9.8, impacts on-premises SharePoint Server versions 2016, 2019, and Subscription Edition. Microsoft is preparing an update to resolve the issue. In the interim, enabling Antimalware Scan Interface (AMSI) integration and deploying Defender AV on SharePoint servers is advised. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert regarding the active exploitation of this vulnerability.

This exploit, dubbed 'ToolShell', is a variant of previously patched vulnerabilities. Attackers are exploiting how SharePoint deserializes untrusted objects, enabling command execution before authentication. Stolen machine keys are then used to forge trusted payloads for persistence and lateral movement, blending in with legitimate SharePoint activity.

AI generated content may differ from the original.

Published on 21 July 2025
microsoftsharepointzerodaycve202553770
  • Microsoft Server Software Under Attack

    Microsoft Server Software Under Attack

    Read more about Microsoft Server Software Under Attack
  • Microsoft Halts China-Based Engineering

    Microsoft Halts China-Based Engineering

    Read more about Microsoft Halts China-Based Engineering
  • Denmark Invests in Quantum Computer

    Denmark Invests in Quantum Computer

    Read more about Denmark Invests in Quantum Computer
  • WPP Appoints Microsoft Executive

    WPP Appoints Microsoft Executive

    Read more about WPP Appoints Microsoft Executive
SharePoint Under Active Attack