Microsoft has started releasing emergency SharePoint Server updates to patch a couple of zero-days that have been exploited in recent days against vulnerable instances.
Exploitation of the vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771 and dubbed ‘ToolShell’, appears to have started on July 18, according to Eye Security, whose researchers were the first to warn organizations about attacks.
Microsoft quickly confirmed in-the-wild exploitation and shared mitigations while it scrambled to develop patches. Late on Sunday, the tech giant announced security updates that should fix the vulnerabilities in SharePoint Subscription Edition and SharePoint 2019. Patches for SharePoint 2016 are pending.
CVE-2025-53770 and CVE-2025-53771 only impact on-premises SharePoint Servers. The flaws can be chained for unauthenticated, remote code execution.
In attacks observed by Eye Security and Google’s Threat Intelligence Group, the attackers planted a webshell and exfiltrated cryptographic secrets that enabled them to gain full access to compromised systems.
Internet scans conducted by Eye Security showed dozens of SharePoint servers hacked through a ToolShell attack.
The non-profit cybersecurity organization ShadowServer reported seeing over 9,000 internet-exposed instances of SharePoint, a majority in North America and Europe. It’s unclear how many of them are vulnerable to attacks.
CVE-2025-53770 and CVE-2025-53771 are variants of CVE-2025-49706 and CVE-2025-49704, which security researchers from Viettel demonstrated in May at the Pwn2Own Berlin hacking competition.
Microsoft fixed CVE-2025-49706 and CVE-2025-49704 with its July 2025 Patch Tuesday updates. A few days later, researchers at Code White reproduced the exploit chain, which they dubbed ToolShell, showing how it can be executed with just one request by an unauthenticated attacker.
It appears threat actors managed to bypass Microsoft’s patches for CVE-2025-49706 and CVE-2025-49704, and have started launching attacks against vulnerable SharePoint servers.
In response, Microsoft published new advisories and assigned new CVEs: CVE-2025-53770, whose patch should include “more robust protections” than the patch for CVE-2025-49704, and CVE-2025-53771, whose patch should provide better protections than the one for CVE-2025-49706.
At the time of writing, Microsoft’s advisory for CVE-2025-53771 does not mention active exploitation. SecurityWeek is trying to obtain clarifications regarding the exploitation of this flaw from Microsoft.
Palo Alto Networks over the weekend reported seeing exploitation of CVE-2025-49704 and CVE-2025-49706 against targets worldwide. However, its advisory was released before Microsoft announced new CVE identifiers, suggesting that these are the same as the attacks seen by others.
The cybersecurity agency CISA has added CVE-2025-53770 to its KEV catalog and instructed government organizations to immediately address it. The agency has also issued its own alert summarizing the available information and mitigations.
Organizations that cannot immediately apply the available patches — or the SharePoint versions they are using are yet to have been patched — are advised to enable the Antimalware Scan Interface (AMSI) integration in SharePoint and set it to ‘Full Mode’.
Because the cryptographic keys targeted in these attacks may already be compromised by the time updates or mitigations are deployed, Microsoft recommends rotating them after updates or mitigations are applied.
UPDATE: While initial reports suggested that CVE-2025-53770 and CVE-2025-53771 are being chained in the recent attacks, Eye Security told SecurityWeek that it has not seen active exploitation of CVE-2025-53771 (or CVE-2025-49706).
“However, since our detections allowed us to stop attacks at an early stage, we have not seen the full attack chain play out in customer environments. It’s possible there are additional steps or exploits in the chain that haven’t been uncovered yet,” the company explained.
SecurityWeek has published a follow-up article on the ToolShell attacks, including on the confusion over which vulnerabilities have been exploited, and the attribution of the first attack wave to China.
Related: Fortinet FortiWeb Flaw Exploited in the Wild After PoC Publication
Related: Exploited CrushFTP Zero-Day Provides Admin Access to Servers
Related: CitrixBleed 2: 100 Organizations Hacked, Thousands of Instances Still Vulnerable
