Microsoft hastily releases an emergency update to fix actively exploited vulnerabilities in SharePoint, identified as ToolShell Zero-day.
In a recent development, two critical vulnerabilities in Microsoft SharePoint Server have been identified and are currently under active exploitation. These vulnerabilities, known as CVE-2025-53770 and CVE-2025-53771, have been dubbed "ToolShell" and pose a significant threat to organizations using these servers.
CVE-2025-53770, a critical-severity vulnerability with a CVSS score of 9.8, allows an unauthenticated attacker to execute arbitrary code on a vulnerable SharePoint server. On the other hand, CVE-2025-53771, with a CVSS score of 6.3, is a spoofing vulnerability arising from an improper limitation of a pathname to a restricted directory, also known as path traversal.
These vulnerabilities impact various versions of Microsoft SharePoint Server, including Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2010, and Microsoft SharePoint Server 2013.
Microsoft issued an emergency out-of-band security update on July 19, 2025, to address these vulnerabilities. The company strongly encourages users to apply these updates as soon as possible to mitigate the risks.
For organizations using Qualys VMDR, the process is straightforward. Use a query to list all the vulnerabilities, then view Risk Elimination, and finally create a Remediation (Patch) or Mitigation Job. Qualys has released QIDs for these vulnerabilities, making them easily identifiable within the system.
In addition, Qualys TruRisk Eliminate offers a comprehensive risk reduction solution for these vulnerabilities. It can be used to patch the SharePoint vulnerabilities or apply out-of-the-box mitigations until a patch can be deployed. With Qualys CSAM 3.0, organizations can identify at-risk SharePoint servers and surface internet-facing SharePoint servers running the vulnerable builds.
The exploitation of these vulnerabilities can lead to a complete compromise of the targeted server, including access to sensitive data and the ability to install malicious web shells for persistent access. The Cybersecurity and Infrastructure Security Agency (CISA) has placed CVE-2025-53770 on its Known Exploited Vulnerabilities (KEV) list, and NHS England's Computer Security Incident Response Team (CSIRT) has issued a High-Severity Alert (CC-4683) for active exploitation against Microsoft SharePoint Servers.
Given the severity of these vulnerabilities and their current active exploitation, it is crucial for organizations to address these issues quickly, especially on internet-facing SharePoint deployments. Failure to do so could lead to serious security breaches and ransomware attacks.
For an in-depth technical blog post on these vulnerabilities, visit the Threat Protect post on these vulnerabilities. Stay vigilant and secure, and remember, your cybersecurity is only as strong as your weakest link.
Read also:
- Urgent Action: Users of Smartphones Advised to Instantly Erase Specific Messages, as per FBI Admonition
- Latest Update in Autonomous Vehicle Sector featuring Applied Intuition, Hesai, Plus, Tesla, Pony.ai, and Wayve
- Challenges impeding the implementation of AI, as cited by Chief Information Security Officers, along with potential solutions
- North Korean Cyber operatives utilized over thirty false identities to infiltrate and participate in cryptocurrency initiatives.
