SharePoint vulnerability under exploit across globe
🛡️ Urgent Security Alert: SharePoint Vulnerability Actively Exploited Worldwide
A critical vulnerability in Microsoft SharePoint Server—CVE-2025-53770—is currently being exploited across the globe. If your organization runs an on-premises SharePoint Server, immediate action is required to protect sensitive data and maintain system integrity.
🔍 What’s Happening?
Security researchers have identified a remote code execution (RCE) vulnerability with a severity rating of 9.8 out of 10, allowing attackers to gain unauthenticated access to exposed SharePoint Servers. Once inside, they can steal credentials, deploy persistent backdoors, and move laterally across networks.
This exploit chain, dubbed ToolShell, has already compromised systems in multiple waves of attack. Microsoft has confirmed the issue and released emergency patches for affected versions.
🧠 What You Need to Know about the SharePoint Vulnerability
- Affected Systems: SharePoint Server Subscription Edition and SharePoint Server 2019. SharePoint 2016 remains unpatched but can be hardened with Antimalware Scan Interface (AMSI).
- Not Affected: SharePoint Online and Microsoft 365 users are safe.
- Attack Method: Exploits insecure deserialization in SharePoint’s .NET framework, allowing attackers to execute malicious code without credentials.
- Backdoor Used: A stealthy webshell called ToolShell that extracts cryptographic keys and enables full control over the server.
🛠️ What You Should Do about the SharePoint Vulnerability
- Patch Immediately
Apply Microsoft’s emergency updates for CVE-2025-53770 and CVE-2025-53771 if you’re running SharePoint Subscription Edition or 2019. - Rotate Machine Keys
Patching alone isn’t enough. Attackers may have stolen ASP.NET machine keys, which must be rotated to prevent future exploits. - Restart IIS Web Server
After rotating keys, restart the IIS server to flush compromised sessions and configurations. - Check for Indicators of Compromise
Use guidance from Eye Security and CISA to scan for signs of intrusion, including POST requests to/ToolPane.aspxand suspicious IP activity.
🧩 Why This Matters
This isn’t just another patch cycle. The exploit allows attackers to bypass authentication entirely, meaning even systems with multi-factor authentication and single sign-on are vulnerable. If your SharePoint Server is internet-facing and unpatched, assume compromise and begin incident response procedures immediately. Need assistance from Salt Lake City IT Pros, click here to contact us.
