Microsoft has released an out-of-band security update to address ToolShell, a critical SharePoint vulnerability that’s already being exploited in the wild.
The flaw, tracked as CVE-2025-53770, enables unauthenticated remote code execution; no login, prompts, or user interaction are required.
The Washington Post reported the breach impacted US federal and state agencies, universities, energy firms, and an Asian telecom company, citing sources from state officials and private researchers.
Until now, there was no fix. Only mitigations. But that changed overnight.
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,” the company said in a security advisory update.
“Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.”
Only on-premise deployments are impacted. SharePoint Online, the cloud-based service bundled into Microsoft 365, is unaffected.
Too Little, Too Late?
The urgency follows days of escalating concern among threat researchers, who watched attackers exploit the flaw with ease. It’s ow clear the original 8 July patch didn’t fully cover the attack surface.
Jonathan Dilley, Director of Cyberthreat Intelligence at Xcape, didn’t mince words.
“It looks like Microsoft shipped an incomplete patch on July 8th. Threat actors have been and are successfully exploiting this, and folks who host their own SharePoint servers exposed to the internet should be checking to see whether they were compromised.”
The implication is serious: systems believed to be patched may have remained exposed for nearly two weeks, giving attackers ample time to install web shells, harvest credentials, or exfiltrate data unnoticed.
Patch Now or Pay Later
Dilley urged swift action, especially for teams running SharePoint Server 2016, where a full patch is still pending.
“Teams should work quickly to apply the most recent patches, which have already been released for SharePoint SE and 2019. We are still waiting on Microsoft to release a patch for SharePoint 2016, so SharePoint 2016 admins will want to follow the mitigation steps in their blog post.”
Microsoft reiterated that its SharePoint security updates are cumulative. If you’re installing the latest update, there’s no need to stack older ones, but note: both updates for SharePoint 2016 and 2019 must be applied.
Review Exposure
James McQuiggan, Security Awareness Advocate and KnowBe4, says CISOs need to review their exposure and the various mitigation steps they can take.
“As this is an unpatched vulnerability with confirmed attacks in progress, the real-world exploitation has already started, which raises the urgency,” he adds. “Organizations need to take immediate mitigation steps to reduce the risk of a data breach by cybercriminals and attackers.”
McQuiggan says that although this vulnerability only impacts SharePoint systems “on-prem”, the risk is significantly higher if an entity’s SharePoint is exposed to the internet. “There’s still a risk if it’s inside the network, as it might have a slower impact, and if attackers are already inside the network, they can target SharePoint to gain access to data and other sensitive information.”
Where Things Stand
The flaw (dubbed ToolShell) first came to light last week. Attackers were sending malicious serialized payloads to vulnerable servers. If successful, those payloads granted remote code execution, full control of the server, and the ability to pivot laterally across networks.
Security vendors flagged signs of compromise ranging from PowerShell malware and web shells to the theft of ASP.NET machine keys, which can be replayed later to impersonate users, even post-remediation.
According to Microsoft, attackers were exploiting not one but two vulnerabilities: CVE-2025-53770 and CVE-2025-53771. Both are now addressed in the updated security packages.
Reminder: This Is Not Over
Security teams must remain alert. Patching is necessary, but not sufficient. If you host on-premise SharePoint, and especially if your environment was internet-facing, you should assume compromise and investigate accordingly.
Start by:
- Checking for suspicious IIS processes
- Scanning for web shells in LAYOUTS\ directories
- Hunting for POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Rotating ASP.NET machine keys as a precaution
- Reviewing Defender AV alerts such as Exploit:Script/SuspSignoutReq.A and Trojan:Win32/HijackSharePointServer.A
Zero Trust, Again
This is not just another SharePoint bug. It’s another reminder of why perimeter trust models no longer work. Rik Ferguson, VP of Security Intelligence at Forescout, said it best earlier this week:
“Security must begin from the premise that every user and every device is untrusted until verified continuously. Because attackers are not just getting in. They are already inside. The question is how far they can go once they are there.”
Microsoft’s patch is welcome news, but only the first step in what may be a long cleanup effort for compromised environments.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.