Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent warning regarding active and widespread cyberattacks targeting on-premises SharePoint servers globally. These attacks are exploiting newly discovered “zero-day” vulnerabilities, allowing malicious actors to gain unauthorized access to critical systems.
The vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, are variants of flaws partially addressed in Microsoft’s July Security Update. Attackers are leveraging a technique dubbed “ToolShell” to bypass authentication, access file systems, steal sensitive configurations, and execute malicious code. This could lead to a complete compromise of targeted servers, including data theft and persistent backdoor installations.
Reports indicate that at least 85 SharePoint servers across 54 organizations have already been compromised, with the attacks affecting government agencies, universities, energy companies, and other major corporations in the United States, Netherlands, United Kingdom, and Canada. The FBI has confirmed it is aware of the matter and is collaborating with partners to assess the threat.
CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the critical nature of the threat. This typically mandates federal agencies to apply patches promptly once available. Microsoft has released emergency security updates for SharePoint Subscription Edition and SharePoint 2019, urging customers to install them immediately. Patches for SharePoint 2016 are reportedly still in development.
Crucially, Microsoft has clarified that SharePoint Online in Microsoft 365, which is a cloud-based service, is not impacted by these specific vulnerabilities. The attacks are focused solely on on-premises SharePoint Server deployments.
Organizations using vulnerable on-premises SharePoint servers are strongly advised to apply the released security updates without delay. Additionally, Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration, deploying Microsoft Defender AV, rotating ASP.NET machine keys, and actively monitoring for suspicious file creations and network activity. Cybersecurity experts also caution that even after patching, organizations should assume compromise if their SharePoint servers were exposed to the internet, and should conduct thorough investigations for persistent threats.
