Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Exposes On-Premises Servers, Emergency Guidance Issued

Microsoft has confirmed a major zero-day vulnerability is being actively exploited in on-premises SharePoint Server, with no patch currently available for most affected versions. Dubbed CVE-2025-53770—nicknamed “ToolShell” by researchers—the Microsoft SharePoint flaw enables unauthenticated attackers to take full control of targeted SharePoint servers. As of July 20, 2025, the attacks have hit at least 75 to 85 organizations globally (via Forbes), ranging from government agencies and financial institutions to universities and the energy sector.

Microsoft urges urgent mitigation as attackers escalate exploitation, leveraging the vulnerability to plant persistent backdoors and steal sensitive cryptographic keys. Here’s everything you need to know to assess your risk, respond to the evolving threat, and secure your infrastructure.

What Is the SharePoint ToolShell Zero-Day (CVE-2025-53770)?

The flaw stems from insecure deserialization within SharePoint’s server logic. This allows attackers to craft malicious HTTP POST requests to specific SharePoint endpoints, resulting in unauthorized code execution on the server—even without valid credentials.

Once exploited, hackers can:

• Deploy arbitrary ASPX payloads to the server.

• Steal cryptographic machine keys, facilitating future attacks or lateral movement.

• Maintain persistent access to compromised environments, even after security updates.

“ToolShell is particularly dangerous because it lets attackers bypass authentication altogether. This opens the door for full-stack attacks, including data theft and ransomware deployment,” warned one lead incident responder involved in the investigation.

Affected SharePoint Versions

• SharePoint Server 2016

• SharePoint Server 2019

• SharePoint Subscription Edition

Note: SharePoint Online (in Microsoft 365) is not impacted. This attack strictly targets on-premises deployments.

Scope of the Attack

• Confirmed victims: 75–85 organizations across multiple continents

• High-risk sectors: Government, finance, telecom, universities, energy

• Potential exposure: Tens of thousands of vulnerable SharePoint servers worldwide

Attackers exploit the flaw to steal intellectual property, disrupt daily operations, and potentially ransom critical data. Organizations who rely on on-premises SharePoint installations are strongly urged to take action immediately.

How the Exploit Works

The attack sequence typically involves:

1. Sending a crafted POST request to a vulnerable SharePoint endpoint.

2. Triggering insecure deserialization, enabling arbitrary server-side code execution.

3. Planting a malicious ASPX backdoor for persistent access.

4. Extracting cryptographic machine keys to ensure ongoing control, even after future updates.

Because the exploit occurs prior to authentication, traditional perimeter defenses and credential-based access controls may not prevent compromise.

Microsoft’s Emergency Guidance

• A security update for SharePoint Subscription Edition is now available.

• No patch yet for SharePoint 2016 or 2019 as of July 20, 2025; development is ongoing.

Immediate Mitigation Steps

Microsoft and leading cybersecurity agencies recommend the following urgent actions—even if you believe your servers are not compromised:

• Enable AMSI (Antimalware Scan Interface) and ensure Microsoft Defender Antivirus is running.

• Deploy advanced threat protection solutions (e.g., Defender for Endpoint).

• Rotate cryptographic machine keys on potentially affected servers.

• Remove direct internet access from vulnerable servers if AMSI cannot be enabled.

• Inspect SharePoint servers for unfamiliar ASPX files and changes in machine keys.

Incident Response Recommendations

• Hunt for persistence: Review recently added web shells and machine key modifications.

• Monitor for suspicious traffic: Examine network logs for indicators of compromise.

• Prepare for the possibility of forced password resets and privilege audits.

Detection and Threat Hunting: Indicators of Compromise (IOCs)

Security teams should:

• Search server logs for malformed or unexpected POST requests to administrative SharePoint endpoints.

• Look for unauthorized ASPX payloads dropped in SharePoint directories.

• Track changes to ASP.NET machineKey configuration, especially additions or replacements.

Forensic Best Practices

• Quarantine compromised servers to prevent spread.

• Preserve forensic copies of exploited systems before making configuration changes.

• Share findings with relevant authorities, especially if protected personal or governmental data may be involved.

Notable Sector & US Federal Government Response

Due to the breadth of targeted attacks—including several US government agencies—the FBI and CISA are actively involved. Agencies running on-premises SharePoint have received urgent directives to isolate vulnerable systems and follow Microsoft’s mitigation instructions.

Global Perspective

Reports from international cybersecurity watchdogs suggest similar attacks are underway in Europe, Asia, and Australia. Organizations in regulated industries—including finance and energy—are particularly high-value targets.

Related Developments

• Patch Tuesday Recap: Over 128 separate vulnerabilities were addressed in Microsoft’s July 2025 Patch Tuesday release, reinforcing the need for rigorous patch management—even as this SharePoint zero-day remains unresolved in several product lines.

• Recent Microsoft 365 Outages: Earlier this month, both Microsoft 365 Copilot and Outlook suffered a 19-hour outage, providing a stark reminder of the importance of reliable backups and cloud redundancy.

How to Protect Your SharePoint Environment

1. Apply Security Updates:
   Immediately install available updates for SharePoint Subscription Edition. Monitor Microsoft’s official guidance for forthcoming patches for other versions.

2. Enable AMSI and Defender Antivirus:

   • Set Antimalware Scan Interface (AMSI) to active.

   • Ensure Microsoft Defender Antivirus or equivalent is running and updated.

3. Rotate Machine Keys:

   • Locate and rotate all cryptographic keys associated with ASP.NET in your SharePoint configuration.

   • Document all key rotations and distribute them securely per best practices.

4. Restrict Server Exposure:

   • Disable internet-facing endpoints for vulnerable servers wherever possible.

   • Use firewalls and network segmentation to prevent lateral movement.

5. Hunt for Backdoors:

   • Conduct thorough scans for unauthorized ASPX files or suspicious scheduled tasks on SharePoint servers.

6. Prepare for Incident Response:

   • Designate a response team.

   • Create a plan for forensic analysis, restoration, and communications (internal and regulatory).

Long-Term Defense Strategies

• Transition to SharePoint Online: Where possible, migrate on-premises workloads to Microsoft 365 to benefit from more frequent automated security updates.

• Maintain Comprehensive Backups: Store regular, immutable backups and test restoration procedures.

• Regularly Review Server Hardening: Apply the principle of least privilege; audit all local and domain admin accounts regularly.

Microsoft SharePoint’s ToolShell zero-day is one of the most significant server threats in recent years. Organizations with on-premises SharePoint deployments must act quickly: apply all available mitigations, watch for signs of compromise, and prepare for evolving attack techniques as more threat actors target this vector.

More details—including technical deep-dives and updated guidance—will be published as Microsoft releases patches for additional product versions. Stay tuned for ongoing analysis and actionable defense strategies.