Cyber threats are imminent against traditional SharePoint servers hosted internally, according to Microsoft and CISA's recent alerts.
More than 1,100 vulnerable servers have been detected, including some belonging to K-12 school districts and universities. The Multi-State Information Sharing and Analysis Center has notified over 150 actively targeted state and local government agencies.
The ToolShell vulnerability, tracked as CVE-2025-53770, is a variant of CVE-2025-49706 and poses a critical security concern. Since mid-2025, active exploitation of this vulnerability has been observed. CVE-2025-53770 enables unauthenticated remote code execution via insecure deserialization, while CVE-2025-53771 allows authentication bypass through spoofing the Referer header.
Confirmed attacks using ToolShell have targeted on-premises Microsoft SharePoint servers. Over 400 victim organizations were reported by July 2025, with approximately 13% of cloud environments running vulnerable self-hosted SharePoint components and 6% exposing them directly online.
Affected versions include SharePoint Server 2016, 2019, and Subscription Edition. The exploitation chain involves sending crafted requests to endpoints like ToolPane.aspx and manipulating headers to bypass authentication, leading to payload deployment and key harvesting.
Microsoft responded by issuing emergency patches on July 21, 2025, for these new bypass variants. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, 2025, urging federal agencies and others to apply mitigations promptly.
Recommended mitigations include applying Microsoft's July 2025 emergency security patches for SharePoint Server 2019 and Subscription Edition immediately, restricting internet exposure of on-premise SharePoint servers, monitoring logs and network traffic for suspicious activity related to ToolShell indicators, reviewing and hardening SharePoint configurations, and implementing network-level protections.
Researchers from watchTowr suggest that exploitation may have begun as early as July 16. Shadowserver is tracking 9,300 exposed IPs and is working with watchTowr and Eye Security to notify affected customers. Carmakal warns that additional hackers, driven by a diverse set of motives, would likely engage in similar activity.
The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, according to The Washington Post. Google's Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers.
In summary, ToolShell remains a serious, actively exploited threat to SharePoint on-premises environments. Prompt patching and vigilant monitoring are critical to defense.
- The detected vulnerability, ToolShell (CVE-2025-53770), is a significant threat to cybersecurity, enabling unauthenticated remote code execution via insecure deserialized requests.
- In response, the Cybersecurity and Infrastructure Security Agency (CISA) has issued emergency patches and added it to their Known Exploited Vulnerabilities catalog, urging prompt mitigations.
- Recommended measures include applying announced patches, restricting internet exposure, monitoring logs, reviewing SharePoint configurations, and implementing network-level protections.
- General-news outlets such as The Washington Post have reported that this vulnerability has compromised several government agencies, crime-and-justice entities, and a U.S. energy company, highlighting the importance of cybersecurity and privacy in technology-driven scenarios.
