A critical zero-day vulnerability in Microsoft SharePoint, actively exploited by hackers since at least July 7, 2025, has sent a shockwave through the cybersecurity community. Threat actors are leveraging this unpatched flaw (CVE-2025-53770) to steal cryptographic keys and establish persistent access to compromised on-premises SharePoint servers, impacting numerous organizations globally, including government agencies and major corporations.
The vulnerability, with a severe CVSS score of 9.8, allows unauthenticated remote code execution by exploiting how SharePoint deserializes untrusted data. Security researchers have dubbed the exploit chain “ToolShell,” noting its ability to bypass authentication, exfiltrate sensitive data, and deploy persistent web shells. This means attackers can gain full control over affected systems, accessing file systems, internal configurations, and even interconnected services like Microsoft Teams and OneDrive.
Microsoft acknowledged the active attacks on July 19, confirming that on-premises SharePoint Server 2016, 2019, and Subscription Edition are affected, while SharePoint Online (Microsoft 365) remains unaffected. The company has since released emergency security updates for SharePoint Server 2019 and Subscription Edition, with a patch for SharePoint Server 2016 still under development.
Cybersecurity firms report observing widespread exploitation, with dozens of systems already compromised. The theft of the server’s MachineKey, including the ValidationKey and DecryptionKey, is particularly concerning. This critical information allows attackers to forge authentication tokens and maintain access even after patches are applied, making remediation a complex and multi-step process. Experts warn that organizations with internet-exposed SharePoint servers should assume compromise and initiate a full incident response.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply patches immediately. Beyond patching, Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration, deploying Defender AV on all SharePoint servers, and critically, rotating all ASP.NET machine keys and restarting IIS to invalidate stolen credentials.
This ongoing campaign highlights the severe risks posed by zero-day vulnerabilities in widely used enterprise software. Organizations are advised to prioritize patching, implement robust detection mechanisms, and conduct thorough investigations to determine if their environments have been compromised and to ensure all avenues for persistent access are closed.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
