A significant security vulnerability has been discovered in Microsoft SharePoint Server, identified as CVE-2025-53770, which has been actively exploited in a large-scale cyberattack campaign. Rated with a critical CVSS score of 9.8, this zero-day flaw allows unauthorized attackers to execute remote code over the network by exploiting how SharePoint handles untrusted data.
This vulnerability is a variant of the previously identified CVE-2025-49704, which was also related to code injection and remote code execution bugs. Microsoft addressed this earlier flaw in its July 2025 Patch Tuesday updates but now emphasizes that the newly discovered variant poses severe risks to on-premises SharePoint Server customers. Importantly, SharePoint Online users in Microsoft 365 are not affected.
Microsoft has acknowledged that there are active attacks aimed at on-premises SharePoint servers and is working on a comprehensive update to resolve the vulnerability. They credited Viettel Cyber Security for reporting the issue through Trend Micro’s Zero Day Initiative. Meanwhile, users are encouraged to set up Antimalware Scan Interface (AMSI) integration in SharePoint and utilize Microsoft Defender Antivirus on all SharePoint servers to mitigate risks until an official patch is released.
Adding to the urgency, both Eye Security and Palo Alto Networks Unit 42 have pointed out that attackers are also using other vulnerabilities, such as CVE-2025-49706, to facilitate these exploits, creating a malicious exploit chain referred to as ToolShell. Current evidence suggests that attacks leveraging these vulnerabilities are combining methods for even greater effectiveness.
Reports indicate that more than 85 SharePoint servers globally have already been compromised, affecting 29 organizations, including major multinational corporations and government entities. The exploitation methods observed involve sophisticated techniques, such as delivering malicious ASPX payloads via PowerShell to capture sensitive MachineKey information, which is pivotal for maintaining persistent access to compromised systems.
To protect against these threats, particularly for organizations unable to implement AMSI, it is advised to disconnect their SharePoint servers from internet access until appropriate security updates are obtained. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued alerts regarding the ongoing exploitation of this critical flaw, highlighting the importance of immediate preventive actions for all organizations managing on-premises SharePoint servers.
Positive steps are being taken, with Microsoft already providing an update for CVE-2025-53770 and introducing a newly discovered flaw, CVE-2025-53771, aiming to enhance protections against these vulnerabilities. The collaborative efforts between Microsoft, cybersecurity firms, and federal agencies showcase a robust response to defend against these significant threats.
Overall, while the situation is grave, the ongoing response efforts provide hope for organizations to strengthen their defenses and mitigate potential damage from these vulnerabilities.