You are currently viewing Microsoft Urgently Patches Active “ToolShell” SharePoint Zero‑Days Exploited in Global Attacks
Citation : Image is used for information purposes only. Picture Credit: https://cyberinsider.com/

Microsoft Urgently Patches Active “ToolShell” SharePoint Zero‑Days Exploited in Global Attacks

Prime Highlights

  • Microsoft has rolled out out-of-band emergency updates for two severe zero-day flaws in on-premises SharePoint servers, attacked globally in an ongoing campaign.
  • Security leaders have called for instant patching, rotations of critical keys, and threat hunts to neutralize the “ToolShell” exploit chain.

Key Fact

  • The primary vulnerability (CVE-2025-53770) carries a critical rating with a CVSS of 9.8, permitting unauthenticated remote code execution.
  • Another weakness (CVE-2025-53771) enables spoofing via path traversal, both serving as the root of long-term assaults.

Key Background

Security researchers have found a mass exploitation campaign targeting on-premises Microsoft SharePoint servers last July 2025. Two recently found unknown vulnerabilities—CVE-2025-53770 and CVE-2025-53771—were identified as being the root cause. The primary vulnerability enables unauthenticated attackers to conduct arbitrary code execution via the exploitation of insecure deserialization techniques. The second vulnerability can be used to spoof using path traversal methods. As a part of a coordinated attack, the two vulnerabilities are being used under the “ToolShell” exploit chain to allow an attacker to install malicious webshells and achieve deep persistence.

The attacks began from July 18, and they targeted dozens of organizations such as banks, universities, and government departments worldwide. Attackers have exploited the vulnerabilities to steal ASP.NET machine keys, which, unless they are rotated, can lead to repeated unauthorized access even after being patched. Security researchers have pointed out that patching is not sufficient but rather complete remediation actions like key rotations and webshell elimination are required.

Microsoft retaliated with out-of-band security patches to SharePoint Server 2019 and Subscription Edition, and the SharePoint Server 2016 fix is still in progress. Patching is suggested right away, advanced malware scanning should be enabled, endpoint protection should be rolled out, and IIS servers should be restarted to thoroughly rid all malicious artifacts. The United States Cybersecurity and Infrastructure Security Agency has labeled CVE-2025-53770 as actively exploited and is placing strict timelines on government agencies to respond.

This incident underscores the growing threats in hybrid IT environments. On-premises environments, unlike cloud-based environments, are not often subjected to continuous monitoring and automated patching and are therefore high-value targets. The SharePoint zero-day attacks reinforce the significance of proactive vulnerability management, rapid incident response, and persistent monitoring of the network.

Read Also : Microsoft SharePoint Zero-Day Breach Impacts 75 Servers: Urgent Patches and Security Warnings Issued