Microsoft customers are urged to take immediate action against ongoing cyberattacks exploiting a critical zero-day vulnerability, CVE-2025-53770, in SharePoint Server. The vulnerability allows unauthenticated remote code execution due to improper deserialization of untrusted data. Attackers are leveraging this to install web shells and steal cryptographic keys, maintaining persistent access.
The vulnerability, with a CVSS score of 9.8, impacts on-premises SharePoint Server versions 2016, 2019, and Subscription Edition. Microsoft is preparing an update to resolve the issue. In the interim, enabling Antimalware Scan Interface (AMSI) integration and deploying Defender AV on SharePoint servers is advised. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert regarding the active exploitation of this vulnerability.
This exploit, dubbed 'ToolShell', is a variant of previously patched vulnerabilities. Attackers are exploiting how SharePoint deserializes untrusted objects, enabling command execution before authentication. Stolen machine keys are then used to forge trusted payloads for persistence and lateral movement, blending in with legitimate SharePoint activity.
Related Articles
Microsoft Server Software Under Attack
Read more about Microsoft Server Software Under Attack →
Microsoft Halts China-Based Engineering
Read more about Microsoft Halts China-Based Engineering →
Denmark Invests in Quantum Computer
Read more about Denmark Invests in Quantum Computer →
WPP Appoints Microsoft Executive
Read more about WPP Appoints Microsoft Executive →