Microsoft has confirmed the exploitation of zero-day vulnerabilities in SharePoint Server, collectively termed ToolShell, on July 19, 2025. This set of vulnerabilities includes CVE-2025-53770, a remote code execution flaw, and CVE-2025-53771, a server spoofing vulnerability. These vulnerabilities predominantly target on-premises Microsoft SharePoint servers, particularly those operating on SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016, leaving SharePoint Online within Microsoft 365 unaffected.
The exploitation of ToolShell began on July 17, 2025, and has been utilized by a range of threat actors, from individual hackers to sophisticated nation-state APT groups. The integration of SharePoint with other Microsoft services, such as Office, Teams, OneDrive, and Outlook, means that compromises could allow attackers extensive access across affected networks, raising significant security concerns.
In the ongoing attack chain, malicious actors frequently exploit four vulnerabilities, including two that were patched earlier – CVE-2025-49704 and CVE-2025-49706, alongside the newer vulnerabilities in ToolShell. The vulnerabilities CVE-2025-53770 and CVE-2025-53771 were patched shortly after their discovery, but the risk remains high for any unpatched systems.
Exploitation methods include the deployment of webshells that bypass multi-factor authentication (MFA) and single sign-on (SSO) protocols. Attackers have been observed utilizing scripts such as spinstall0.aspx, designated as MSIL/Webshell.JS, for information retrieval from compromised systems. In addition, the deployment of other simple ASP webshells has been noted, further complicating the threat landscape.
Monitoring activities from July 17 to July 22 indicated a widespread distribution of attacks globally, with the United States being the most impacted. Microsoft has reported an alarming trend of participation from China-aligned threat actors, including a backdoor linked to the cyberespionage group LuckyMouse, detected in Vietnam during this period.
As the exploit is actively being used, the frequency of attacks is expected to rise. To mitigate these risks, Microsoft recommends that users of SharePoint Server operate only supported versions, apply the latest security updates, ensure they have proper antimalware solutions in place, and regularly rotate SharePoint Server ASP.NET machine keys.
The prompt response from Microsoft to patch these vulnerabilities highlights the importance of vigilant cybersecurity practices. Organizations are urged to remain proactive in addressing potential vulnerabilities within their systems to guard against sophisticated cyber attacks.