Microsoft has warned hackers are actively exploiting a newly-discovered vulnerability in on-premises SharePoint servers and urged enterprises to patch immediately.
The attack allows malicious actors to gain unauthorized access to organizations’ infrastructure using remote code execution (RCE), which in turn gives them access to all SharePoint content, including internal configurations and file systems.
The tech giant also warned it also allows them to execute code over the network.
The vulnerability has been given the official designation CVE-2025-53770, although the US Cybersecurity and Infrastructure Security Agency (CISA) reports it’s also being called 'ToolShell'.
In a blog offering guidance to customers, Microsoft said SharePoint administrators should immediately apply updates for SharePoint Server Subscription Edition and SharePoint Server 2019, which were issued on 20 July and 21 July respectively. Links to the official downloads are available through the blog.
An update for supported versions of SharePoint 2016 isn’t yet available, but the company says it’s working to develop these. SharePoint Online in Microsoft 365 isn’t affected.
In addition to applying the updates, or while waiting for one to become available, Microsoft advises the following steps to mitigate potential attacks:
- Use supported versions of on-premises SharePoint Server
- Apply the latest security updates, including the July 2025 Security Update
- Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
- Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
- Rotate SharePoint Server ASP.NET machine keys
CISA has offered the following additional steps to reduce the risk of compromise:
- Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender AV on all SharePoint servers.
- If AMSI cannot be enabled, disconnect affected products from service (sic) that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
- Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- For information on detection, prevention, and advanced threat hunting measures, see Microsoft's Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
- Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
- Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA's Guidance on SIEM and SOAR Implementation.
- Implement comprehensive logging to identify exploitation activity. For more information, see CISA's Best Practices for Event Logging and Threat Detection.
- Audit and minimize layout and admin privileges.
Microsoft customers urged to act on SharePoint flaw
Experts have lined up to underscore the critical nature of this vulnerability.
Martin Riley, CTO at cybersecurity firm Bridewell, said the exploitation of the flaw represents an "unprecedented risk" due to an attacker's ability to completely bypass authentication and identity controls such as MFA.
“This vulnerability is not just about data theft – it can enable attackers to harvest credentials, steal cryptographic keys, and impersonate users even after the patch is applied unless keys are rotated,” he said.
“Leaders must prioritize mitigations immediately, even if this impacts productivity. The cost of inaction is far greater than the inconvenience of temporary restrictions.”
MORE FROM ITPRO
- Hackers are duping developers with malware-laden coding challenges
- Warning issued after SharePoint flaw puts entire corporate networks at risk
- Hackers are using PDFs to impersonate big brands like Microsoft in a new threat campaign
-
VMware partners face more disruption with latest Broadcom changesNews Broadcom’s latest VMware changes mean smaller partners could be pushed out
-
HP EliteBook X G1a reviewReviews A premium-feeling 14-in laptop that can tackle most applications without breaking a sweat – only the battery life disappoints
-
Warning issued after SharePoint flaw puts entire corporate networks at riskNews A threat actor was able to remain undetected on a corporate network for over two weeks after exploiting a high-severity SharePoint vulnerability
-
No, Microsoft SharePoint isn’t cracking users’ passwordsNews The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft patches 129 flaws as big updates become new normalNews This month's Patch Tuesday includes 23 critical flaws, though none are being actively used by hackers
-
Bug shuts down Microsoft's SharePointNews An update to Microsoft’s business server software goes wrong, causing it to shut down after 180 days of use.
