Update, July 21, 2025: This story, originally published on July 20, has been updated to include additional expert comments regarding the global zero-day attack impacting Microsoft on-premise SharePoint Server users, as well as the latest information and advice from Microsoft itself, along with a warning from CISA.
Microsoft users are, once again, under attack. This time, the threat is not restricted to Outlook users, or involves a Windows browser-based security bypass, and unlike the recent Windows authentication relay attack vulnerability, there is no patch, no magic update, to remedy this one. Which is bad news for Microsoft SharePoint Server users, as CVE-2025-53770 is currently under confirmed “mass attack” and on-premises servers across the world are being compromised. Here’s what you need to know and do.
Microsoft Confirms CVE-2025-53770 SharePoint Server Attacks
It’s been quite the few weeks for security warnings, what with Amazon informing 220 million customers of Prime account attacks, and claims of a mass hack of Ring doorbells going viral. The first of those can be mitigated by basic security hygiene, and the latter appears to be a false alarm. The same cannot be said for CVE-2025-53770, a newly uncovered and confirmed attack against users of SharePoint Server which is currently undergoing mass exploitation on a global level, according to the Eye Security experts who discovered it. Microsoft, meanwhile, has admitted that not only is it “aware of active attacks” but, worryingly, “a patch is currently not available for this vulnerability.”
CVE-2025-53770, which is also being called ToolShell, is a critical vulnerability in on-premises SharePoint. The end result of which is the ability for attackers to gain access and control of said servers without authentication. If that sounds bad, it’s because it is. Very bad indeed.
“The risk is not theoretical,” the researchers warned, “attackers can execute code remotely, bypassing identity protections such as MFA or SSO.” Once they have, they can then “access all SharePoint content, system files, and configurations and move laterally across the Windows Domain.”
And then there’s the theft of cryptographic keys. That can enable an attacker to “impersonate users or services,” according to the report, “even after the server is patched.” So, even when a patch is eventually released, and I would expect an emergency update to arrive fairly quickly for this one, the problem isn’t solved. You will, it was explained, “need to rotate the secrets allowing all future tokens that can be created by the malicious actor to become invalid.”
And, of course, as SharePoint will often connect to other core services, including the likes of Outlook and Teams, oh and not forgetting OneDrive, the threat, if exploited, can and will lead to “data theft, password harvesting, and lateral movement across the network,” the researchers warned.
CISA Adds Microsoft SharePoint Vulnerability To KEV Catalog
The Cybersecurity and Infrastructure Security Agency has already added CVE-2025-53770 to the Town Exploited Vulnerabilities Catalog, and action that, in accordance with Binding Operational Directive 22-01, mandates U.S. Federal Civilian Executive Branch agencies to remediate the threat within 21 days. “Although BOD 22-01 only applies to FCEB agencies,” CISA said, “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.” Given that no patch is yet available, that could mean taking drastic action and pulling the internet plug to remove connectivity from SharePoint servers.
Security Experts Warn Government, Schools And Hospitals At Immediate Risk From Microsoft SharePoint Exploit
“While cloud environments remain unaffected,” Michael Sikorski, head of threat intelligence for Unit 42 at Palo Alto Networks, said, “on-prem SharePoint deployments, particularly within government, schools, healthcare including hospitals, and large enterprise companies, are at immediate risk.” The attackers are, Sikorski confirmed, exfiltrating data, deploying backdoors, and stealing cryptographic keys. “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.”
“CVE-2025-53770 is more than just another SharePoint flaw,” Rik Ferguson, vice president of security intelligence at Forescout, warned, “it’s a case study in what happens when legacy trust models meet modern threat actors.” Explaining that authenticated users should never be considered safe entities by default, Ferguson said that CVE-2025-53770, in effect, provides code execution ability without requiring any elevated privileges whatsoever. “For CISOs,” Ferguson concluded, “this highlights a critical point: If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess.”
Mitigating The Microsoft SharePoint Server Attacks
While the Microsoft Security Response Center has stated that it is “actively working to release a security update,” and will “provide additional details as they are available,” there is no patch at the time of writing. In the meantime, it advised that customers should apply the following mitigations:”
Configure Antimalware Scan Interface integration in SharePoint and deploy Defender AV on all SharePoint servers. “If you cannot enable AMSI,” Microsoft said, “we recommend you consider disconnecting your server from the internet until a security update is available.”
I have approached Microsoft for a statement and will update this story with any further developments. In the meantime, Microsoft has confirmed that the issue only applies to on-premises Microsoft SharePoint Servers only, with SharePoint Online in Microsoft 365 not impacted.
