Microsoft deployed an emergency patch to address a critical zero-day bug in its SharePoint Server that puts an organization’s information at risk. Known as CVE 2025 53770, the vulnerability has been actively exploited by hackers against at least 75 entities, including the government agencies, private networks, and critical infrastructure entities.
Security researchers said the attackers leveraged the vulnerability to compromise SharePoint environments, deploy malicious web shells, and steal encryption keys that could lead to systems being compromised over the long term and other systems being more broadly targeted. Named “ToolShell,” the campaign highlights chilling threats from on-premises deployment of collaboration software.
What is a zero-day exploit?
A ‘zero-day’ attack happens when an adversary exploits a vulnerability on the same day that the vulnerability becomes public, usually before the software producer can make a patch to fix it. Such vulnerabilities are particularly problematic as they leave systems open with no current protection.
In this instance, the attackers exploited the SharePoint vulnerability to bypass authentication mechanisms, run remote commands, and drop web shells — tiny snippets of code which enable them to take control of the server. Security researchers have determined that the exploit is connected to a bypass of previously patched bugs (CVE 2025 49704 and CVE 2025 49706) or that the attackers found a way to abuse deserialization in SharePoint to bypass old defenses.
Microsoft’s Statement About the Breach
Microsoft officially admitted the vulnerability was being exploited in a statement it released on July 19. The company has conceded that some of the patches it issued previously did not entirely fix the problem, which prompted the company to issue a fresh security update that targets the bypasses.
“Microsoft is aware of targeted attacks in the wild and advises the on-premise SharePoint customers to apply the fix for the CVE-2019-0604.” The attacks are using a CVE-2025-49706 variant. This issue has been assigned CVE-2025-53770. SharePoint Online for Microsoft 365 is unaffected.” The company stated.
“We encourage all customers to apply the latest updates as soon as possible.”
The company also said that its cloud-based version, SharePoint Online, as included in Microsoft 365, is not affected by this vulnerability. This new attack is limited to SharePoint Server 2016, 2019, and Subscription Edition when deployed on-premises.
Microsoft Recommended Guidelines for Users
To assist organizations in responding to it, Microsoft has released a package of security recommendations alongside this emergency patch. These include:
- Install the July 2025 Cumulative update for SharePoint Server as soon as possible.
- Rotate ASP. NET machine keys and all stolen credentials were invalidated by SharePoint.
- After deploying the patch, restart the IIS services.
- Turn on full AMIS(Antimalware Scan Interface) protection with Microsoft Defender Antivirus.
- Use Endpoint Detection and Response (EDR) tools to track out-of-the-ordinary activities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) labeled the exploitation high risk and put the bug on its Known Exploited Vulnerabilities list.
The incident underscores the need to timely patch and stay vigilant towards patching status, particularly with legacy on-premises systems, say experts.
