A critical vulnerability in Microsoft SharePoint is under active attack, putting thousands of on-premise servers at risk. The flaw, tracked as CVE-2025-53770 and dubbed “ToolShell,” allows unauthenticated remote code execution and requires no user interaction.
Microsoft confirmed the zero-day on 19 July. A day later, CISA followed suit, adding the bug to its Known Exploited Vulnerabilities catalog.
SharePoint Online (used in Microsoft 365) is not affected. But all supported on-premise versions from SharePoint 2013 onward are in the blast radius. There is no patch yet.
The attack is simple and effective. Threat actors send malicious serialized data to the server, exploiting a deserialization flaw. If successful, the payload grants full control; no login, no warning.
Microsoft assigned the flaw a CVSS score of 9.8. High severity. Low complexity. No privileges needed. The vulnerability impacts all three pillars: confidentiality, integrity, and availability.
Who’s Behind It?
While attribution remains unconfirmed, early telemetry points to known state-aligned threat groups, including Silk Typhoon and Storm-0506. Ontinue threat intelligence flagged several indicators of compromise, including web shells and PowerShell-based malware—one variant detected as ‘SuspSignoutReq’.
Affected systems have also been found leaking cryptographic machine keys, which attackers can use to impersonate users and persist even after cleanup. Microsoft urges administrators to rotate ASP.NET machine keys if a compromise is suspected.
A Case Study in Trust Gone Wrong
Rik Ferguson, VP of Security Intelligence at Forescout, sees this as more than just another SharePoint flaw.
“It is a case study in what happens when legacy trust models meet modern threat actors. An authenticated user should never be treated as a guaranteed safe entity, but this vulnerability effectively grants code execution without requiring elevated privileges. For CISOs, this highlights a critical point. If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess.”
Ferguson’s warning is blunt: Zero Trust isn’t optional. “Security must begin from the premise that every user and every device is untrusted until verified continuously. You need segmentation that limits lateral movement and monitoring that can flag even subtle deviations from expected behavior. Because attackers are not just getting in. They are already inside. The question is how far they can go once they are there.”
Business Impact
The implications are severe. Malefactors can access file systems, extract credentials, implant persistence mechanisms, and move laterally across networks.
Martin Riley, CTO at Bridewell, emphasized the urgency. “The absence of a patch means businesses must act now to reduce their attack surface. Disabling or limiting external access to SharePoint is the most effective option. For those unable to do so, deploying advanced anti-malware, enabling Microsoft Defender AV with AMSI, and increasing monitoring for lateral movement are critical.”
Riles says this vulnerability is not just about data theft. “It can enable attackers to harvest credentials, steal cryptographic keys, and impersonate users even after the patch is applied unless keys are rotated.”
Leaders must prioritise mitigations immediately, even if this impacts productivity, Riley says.
What to Do Now
Microsoft and CISA have issued overlapping guidance. If you run SharePoint on-premise, take the following steps:
Mitigate
Enable AMSI and Microsoft Defender Antivirus on all SharePoint servers.
If it cannot be enabled, disconnect any affected servers from the internet.
Segment internet-facing servers and restrict lateral movement.
Detect
Monitor for suspicious IIS worker processes.
Watch for Defender AV alerts: Exploit:Script/SuspSignoutReq.A and Trojan:Win32/HijackSharePointServer.A.
Look for file drops in Web Server Extensions\<version>\TEMPLATE\LAYOUTS\ matching spinstall0.aspx.
Hunt
Use KQL queries to track potential exploitation.
Scan for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.
Investigate traffic to or from known malicious IPs such as 96.9.125[.]147.
Prepare
Patch readiness is crucial. Microsoft is testing an out-of-band update. Be ready to deploy it the moment it drops.
Investigate
Check for evidence of credential harvesting or system tampering.
Rotate any exposed machine keys immediately to prevent replay attacks.
The Bigger Picture
This is far from the first SharePoint vulnerability exploited in the wild, and likely won’t be the last.
CVE-2025-53770 is related to a previously disclosed flaw, CVE-2025-49706. But ToolShell takes things further by bypassing authentication and operating silently.
CISA notes that organizations must “audit and minimize layout and admin privileges,” and ensure comprehensive logging is in place.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.