"A severe and ongoing attack is targeting the Microsoft SharePoint 'ToolShell' vulnerability on a global scale"
In a concerning turn of events, a series of zero-day vulnerabilities, known as ToolShell, have been discovered and are currently being exploited in attacks against various US federal and state agencies, universities, energy companies, and an Asian telecommunications company. These vulnerabilities, labelled CVE-2025-53770 and CVE-2025-53771, were first detected by Eye Security on July 18, 2025, and discussed in a Microsoft Defender Vulnerability Management blog post.
The first signs of exploitation were on July 7, 2025, as determined by cyber security company Check Point. These vulnerabilities can still be exploited even if issues labeled CVE‐2025‐49704 and CVE‐2025-49706, which were fixed with the July 8, 2025 updates from Microsoft, have been addressed.
In response to this critical situation, Microsoft has pushed emergency updates to address the zero-day vulnerabilities. However, it's important to note that these emergency patches are limited to select versions of SharePoint, and a patch has not been released for Microsoft SharePoint Enterprise Server 2016 as of the time of publication.
Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, has stated that there is an urgent and active threat due to a critical zero-day in SharePoint on-prem being exploited in the wild, putting thousands of global organizations at risk.
To reduce the risk from the active ToolShell zero-day attack on Microsoft SharePoint servers, organizations should immediately apply the latest security patches released by Microsoft for the affected on-premises SharePoint versions (including SharePoint 2016, 2019, and Subscription Edition). Additional recommended steps include isolating public-facing SharePoint servers, hardening SharePoint configurations, rotating ASP.NET machine keys, enabling and centralizing comprehensive logging and monitoring, conducting regular access reviews, and implementing proactive threat hunting.
These steps collectively mitigate the risk of remote code execution, persistent compromise, and data theft associated with these vulnerabilities, which are currently under active exploitation by known nation-state actors. Immediate patching and hardening are critical, especially for SharePoint servers exposed to the internet.
Check Point recommends additional measures such as enabling Anti-Malware Scan Interface, rotating SharePoint Server ASP.NET machine keys, deploying Harmony Endpoint, limiting access to the SharePoint Server from the Internet, updating Quantum Gateway IPS Package 635254838, and setting protection to Prevent and inspect the traffic of SharePoint servers.
It's crucial for organizations to stay vigilant and take immediate action to protect their SharePoint servers from the ToolShell attacks. The term "zero-day" attack refers to when a previously unknown vulnerability is targeted, making it imperative to act swiftly to mitigate the risks.
- Amidst growing concerns, ToolShell, a set of zero-day vulnerabilities, are being exploited across US federal and state agencies, universities, energy companies, an Asian telecom, and more.
- These vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, were initially detected by Eye Security on July 18, 2025, and discussed in a Microsoft Defender Vulnerability Management blog post.
- Microsoft responded to this critical situation by pushing emergency updates to address these zero-day vulnerabilities, but the patch for Microsoft SharePoint Enterprise Server 2016 has yet to be released.
- Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, emphasized the urgent and active threat posed by a critical zero-day in SharePoint on-prem, placing thousands of global organizations at risk.
- To lessen the risk from the active ToolShell zero-day attack on Microsoft SharePoint servers, organizations should promptly apply the latest security patches from Microsoft and consider steps like isolating public-facing servers, hardening configurations, logging and monitoring, and access reviews.
- Aside from patching and hardening, Check Point advises additional measures such as enabling Anti-Malware Scan Interface, updating Quantum Gateway IPS Package 635254838, limiting internet access to SharePoint servers, and deploying Harmony Endpoint. In the face of the ongoing ToolShell attacks, it's essential for organizations to behave with urgency and vigilance to protect their SharePoint servers from zero-day vulnerabilities.
