Microsoft Issues Emergency Fix as Critical SharePoint Flaw Faces Active Exploits

Microsoft has issued emergency out-of-band security updates to address a critical vulnerability in SharePoint Server that’s already being actively exploited. The high-severity flaw is being used in targeted attacks against U.S. federal and state agencies as well as thousands of organizations worldwide.

The critical security flaws (tracked as CVE-2025-53770 and CVE-2025-53771) affect on-premises SharePoint Server 2019 and SharePoint Server Subscription Edition (SE). The first vulnerability carries a CVSS score of 9.8, which could give hackers remote access to SharePoint Servers exposed to the Internet. However, the second path traversal flaw allows unauthorized remote hackers to execute code over a network. These vulnerabilities don’t affect SharePoint Online and Microsoft 365.

The first indication of a widespread attack exploiting the SharePoint vulnerability came on July 18, when cybersecurity researchers at Eye Security conducted a global scan of over 8,000 SharePoint servers. Their scan revealed that dozens of systems had already been compromised, which indicates that the exploit was being actively used in real-world attacks.

How does the ToolShell exploit chain work?

The ToolShell exploit chain begins with attackers leveraging CVE-2025-53770 to gain unauthenticated remote access to exposed servers. Once inside, attackers deploy a webshell-based backdoor known as ToolShell, which enables deep access to SharePoint’s internal components.

This backdoor facilitates the extraction of authentication tokens, which are then used to impersonate privileged users and execute arbitrary commands. The exploit is particularly dangerous because it bypasses standard security controls and closely resembles legitimate administrative activity to make detection difficult. Following initial compromise, attackers use the stolen credentials to expand their reach across the network and target sensitive systems and data.

Microsoft has since released security patches to protect organizations using SharePoint 2019, SharePoint Server Subscription Edition, and SharePoint 2016. The company has advised administrators to apply the security fixes immediately within their organizations.

Mitigation tips for unpatched SharePoint Servers

Microsoft has also provided recommendations for organizations that can’t apply the fixes for the SharePoint vulnerabilities immediately. Administrators should deploy Microsoft Defender for Endpoint to detect post-exploitation activity. They should also ensure that the Antimalware Scan Interface (AMSI) integration in SharePoint is set to Full Mode.

Furthermore, it’s advised to enable Microsoft Defender Antivirus on all SharePoint hosts to block potential exploitation. Microsoft says that organizations that can’t enable AMSI should disconnect vulnerable systems from the Internet entirely until their systems are fully patched.

Lastly, CISA has also detailed additional steps to help organizations reduce the risk of compromise. Administrators must update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. Moreover, IT admins must implement comprehensive logging to identify exploitation activity. It’s also recommended to audit and minimize layout and admin privileges.