Photo by Mika Baumeister on Unsplash
If your company is running SharePoint on premises, it’s time to hit pause and listen up.
A high-severity vulnerability in Microsoft SharePoint Server (CVE-2025-53770) is currently under active exploitation worldwide — and it’s not just a theoretical risk. Researchers and even federal agencies are confirming breaches due to this bug. If that sounds serious, that’s because it is.
With a severity score of 9.8 out of 10, this vulnerability gives attackers unauthenticated remote access to SharePoint servers that are exposed to the internet. In other words: if your SharePoint server is online and unpatched, there’s a good chance someone’s already poking around where they shouldn’t be.
What’s happening right now?
Researchers began spotting attacks using this vulnerability on Friday, July 18. Just a day later, Microsoft confirmed the exploit and released emergency patches for SharePoint Subscription Edition and SharePoint 2019. But that’s not the end of it.
Photo by Kvistholt Photography on Unsplash
Security firm Eye Security reported that dozens of systems around the globe were compromised in two separate attack waves on July 18 and 19. In these attacks, hackers dropped a backdoor called ToolShell onto breached SharePoint servers.
Now here’s where it gets scary: ToolShell isn’t your typical webshell that runs commands or opens a direct line to the attacker. Instead, it silently digs into the most sensitive part of the SharePoint configuration — the MachineKey. That’s the backbone of security inside .NET-based systems like SharePoint.
The real danger: once inside, they move fast
Once hackers extract the secret keys from a server, they can generate legitimate-looking SharePoint requests. Yes, fully signed, trusted requests — but laced with malicious commands. It’s remote code execution (RCE) with no need for a username or password.
They’re doing this by using a tool called `ysoserial` to craft payloads that get accepted as if they were generated by your own server. These aren’t sloppy hacks. This is precision work that mirrors flaws previously seen back in 2021, but now rolled into a modern zero-day chain with stealth, persistence, and automation.
Simply put: they’re in, and they’re staying in.
What Microsoft is doing
Microsoft has released patches not only for CVE-2025-53770, but also for a related vulnerability, CVE-2025-53771. These patches also strengthen defenses against two previously disclosed bugs — CVE-2025-49704 and CVE-2025-49706 — that were first demonstrated earlier this year at the Pwn2Own hacking event.
However, not all versions are covered yet. SharePoint 2016 remained unpatched when the vulnerability was disclosed. For those still using it, Microsoft’s recommendation is to deploy the Antimalware Scan Interface (AMSI) for extra protection.
Photo by Philip Oroni on Unsplash
Why patching isn’t enough
Here’s the bad news: if your server was already compromised, applying the patch won’t magically fix the damage. The attackers likely already stole important stuff, like the SharePoint ASP.NET MachineKey. That gives them the ability to come back later — even after you patch things up.
So what should you do?
- Install Microsoft’s emergency updates immediately
- Rotate your MachineKey and restart the IIS server
- Look through system logs and indicators of compromise
- Use the technical guidance from Eye Security and CISA to check if you’ve been hit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also confirmed the attacks and is urging organizations to review their systems carefully. At least two federal agencies have already reported breaches.
They’ve provided a set of technical indicators and defensive measures to help IT teams dig in and respond.
What’s the takeaway?
If you’re managing an on-prem SharePoint server, assume you’re compromised until proven otherwise. This isn’t paranoia — it’s the advice from experts who’ve already traced active attacks around the globe.
Microsoft 365 and SharePoint Online users can breathe a little easier — those services are not affected. But if you’re still running SharePoint in-house, now’s the time to move quickly. This bug isn’t just serious, it’s being used right now.
Let your team know. Patch fast. Double-check everything.
And if you’re not sure where to start, Eye Security and CISA both have detailed steps to guide you — don’t wait to check them out.
Keywords: SharePoint vulnerability, CVE-2025-53770, ToolShell, remote code execution, Microsoft security, machinekey, SharePoint patch, CVE-2025-53771, CVE-2025-49704, CVE-2025-49706, ysoserial, ASP.NET, on-premises breach, cybersecurity alert
