Microsoft Issues Emergency Patches for Actively Exploited SharePoint Server Vulnerabilities
Microsoft has released emergency patches to fix two actively exploited zero-day vulnerabilities in Microsoft SharePoint Server. The two vulnerabilities are tracked as CVE-2025-53770 and CVE-2025-53771. CVE-2025-53770 is a critical remote code execution vulnerability due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server, and has a CVSS v3.1 base score of 9.8. CVE-2025-53771 is a medium-severity server spoofing vulnerability due to improper limitation of a pathname to a restricted directory and has a CVSS v3.1 base score of 6.3.
The attack chain exploiting the vulnerabilities has been dubbed ToolShell, and allows an attacker to fully access SharePoint content, including file systems, configurations, and execute arbitrary code over the network. According to Microsoft, the vulnerabilities are related to CVE-2025-49704 and CVE-2025-49706, which were addressed in the July 2025 Patch Tuesday updates. “The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704,” explained Microsoft. “The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.
The vulnerabilities have been addressed in the following versions:
- Microsoft SharePoint Server 2019 Core KB5002754
- Microsoft SharePoint Server Subscription Edition KB5002768
- The patch for Microsoft SharePoint Enterprise Server 2016 is currently being tested.
Eye Security was the first to identify large-scale exploitation activity on July 18, 2025, which continued over the weekend as attackers attempted to exploit the vulnerabilities before patches were applied. Eye Security identified dozens of compromised SharePoint servers that had a shell planted which leaked sensitive data and enabled complete remote access. Vicims include federal and state agencies, universities, and energy companies.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president, CrowdStrike. “It’s a significant vulnerability.’’ The Cybersecurity and Infrastructure Security Agency (CISA) has advised all organizations with on-premise SharePoint servers to implement mitigations immediately or temporarily disconnect the servers from the public Internet.
Due to mass exploitation of the flaw, all organizations should assume that their SharePoint systems have been compromised if they were exposed to the Internet before the patch was applied. In addition to patching, cryptographic keys should be rotated, and investigations should be initiated to look for indicators of compromise. CVE-2025-53770 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and federal civilian agencies are required to apply mitigations immediately. Recommended mitigations and Indicators of Compromise (IoCs) are provided in the CISA alert.
