Microsoft has released an emergency security update to address a critical zero-day vulnerability in its SharePoint Server platform, following reports that the flaw is being actively exploited by hackers to infiltrate government, academic, and energy-sector systems across the U.S. and abroad.
The vulnerability, now identified as CVE-2025-53770, affects on-premises SharePoint servers and is not present in Microsoft 365 or SharePoint Online. According to Microsoft’s advisory, the flaw is a variation of a previously patched issue, CVE-2025-49706, which was believed to have been fixed in the company’s July 8 update. However, new exploitation techniques have rendered that patch incomplete.
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the vulnerability is being leveraged in real-world attacks. Investigators say a malicious tool known as “ToolShell” is being deployed to compromised systems, allowing attackers to bypass authentication and gain remote access. Once installed, ToolShell enables full access to SharePoint content, file systems, and configuration data, and even permits execution of arbitrary code on affected networks.
Eye Security researchers were among the first to detect widespread exploitation of the flaw, observing breaches beginning on July 18. In a public report, they warned that attackers are targeting and extracting ASP.NET machine keys from SharePoint servers. These keys, once obtained, could be used to facilitate additional attacks over time—even after initial access has been blocked.
Security experts are emphasizing that patching alone may not be sufficient to fully protect vulnerable systems. Eye Security is urging organizations to rotate machine keys and restart IIS servers as an immediate precaution. “This threat is already active and spreading quickly,” the company stated, adding that defenders should not wait for a full vendor fix before acting.
Microsoft has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, though additional updates for supported versions of SharePoint 2016 and 2019 are still in development.
CISA recommends that affected organizations enable AMSI (Antimalware Scan Interface) within SharePoint, install Microsoft Defender Antivirus, and disconnect any exposed SharePoint servers from the public internet until complete remediation is available. The agency echoed concerns that these attacks may represent part of a broader campaign targeting U.S. government agencies and critical infrastructure.
The Washington Post reported that at least two U.S. federal agencies have experienced breaches linked to this vulnerability, and similar incidents are now under investigation in Canada and Australia. Officials believe the targeted servers were being used to host sensitive internal documents and manage data workflows, making them high-value targets.
Adding to the urgency, the security firm Rapid7 noted that CVE-2025-53770 is connected to a separate exploit chain unveiled during the Pwn2Own hacking competition in May. That chain originally involved a flaw labeled CVE-2025-49704, which Microsoft attempted to patch earlier this month alongside CVE-2025-49706.
Microsoft has also released a related patch for another SharePoint vulnerability, CVE-2025-53771, which it says has not yet been exploited in the wild. The update is intended to bolster defenses after the shortcomings of prior fixes became evident.
As this is a rapidly evolving situation, Microsoft and federal agencies continue to monitor developments and encourage administrators to stay alert for further updates.
