Microsoft has released emergency security updates to address two actively exploited zero-day vulnerabilities in its SharePoint Server software. The vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, affect on-premises versions of Microsoft SharePoint Server and have been exploited in attacks dubbed "ToolShell".
CVE-2025-53770 is a critical remote code execution vulnerability, with a CVSS v3.1 base score of 9.8. It stems from the deserialization of untrusted data, allowing an unauthenticated attacker to execute arbitrary code on a vulnerable SharePoint server. CVE-2025-53771 is a medium-severity server spoofing vulnerability, with a CVSS v3.1 base score of 6.3, resulting from improper limitation of a pathname to a restricted directory. This can be chained with CVE-2025-53770 to facilitate lateral movement and persistence.
The ToolShell attack chain allows attackers to fully access SharePoint content, including file systems and configurations, and execute arbitrary code over the network. Eye Security identified large-scale exploitation activity starting on July 18, 2025, with attackers planting shells on compromised SharePoint servers to leak sensitive data and gain complete remote access. Victims include federal and state agencies, universities, and energy companies. It is estimated that over 54 organizations have been affected.
Microsoft has released emergency out-of-band security updates for Microsoft SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016 to address these vulnerabilities. The updates include more robust protections than those released in the July 2025 Patch Tuesday updates for CVE-2025-49704 and CVE-2025-49706, which are related vulnerabilities.
Specifically, the following updates are available:
Microsoft urges SharePoint administrators to install these security updates immediately. In addition to patching, administrators are advised to rotate the SharePoint machine keys. This can be done manually via PowerShell.
Due to the mass exploitation of this flaw, organizations should assume their SharePoint systems have been compromised if they were exposed to the Internet before the patch was applied. It is recommended to rotate cryptographic keys and initiate investigations to look for indicators of compromise.
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to apply mitigations immediately. CISA also strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.