ToolShell On-Prem SharePoint Vulnerabilities: Emerging Threat Published on Risk Ledger

Summary

Microsoft has disclosed two vulnerabilities: CVE-2025-53770 (CVSS 9.8/Critical) and CVE-2025-53771. The exploit method is referred to as a “ToolShell” attack. These vulnerabilities affect on-premises instances of Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.

Cloud-based versions such as Sharepoint Online and Microsoft 365 are reportedly not affected.

Microsoft has released patches and additional guidance in response to this zero-day exploit.
‍

Threat Description

On 19 July 2025, Microsoft issued an emergency advisory for two newly identified zero-day vulnerabilities in SharePoint Server: CVE‑2025‑53770 and CVE‑2025‑53771. These flaws bypassed the July 2025 Patch Tuesday protections for earlier vulnerabilities (CVE‑2025‑49704 and CVE‑2025‑49706).  Microsoft published security updates for all vulnerable instances of on-premises SharePoint.

The severity of this threat was reinforced by recent advisories published by the UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

These vulnerabilities allow attackers to gain unauthenticated access to vulnerable SharePoint servers and allow for remote code execution to access sensitive SharePoint content as well as the ability to gain access to additional systems across the network.
‍

Applicability

Organisations using the following on-premises instances of Microsoft SharePoint are affected:

• Sharepoint Subscription Edition
• Sharepoint Server 2019
• Sharepoint Server 2016
  ‍

Relevance to the Supply Chain

SharePoint is widely used to store and manage documents, enabling teams to collaborate, edit, and process information directly or through automated workflows and other business processes.

It is important for organisations to understand whether their data is stored by any of their suppliers using these vulnerable versions of on-premises SharePoint. Data stored in on-premises SharePoint Servers may be at risk to these active exploits.
‍

What you should do about it

If your organisation uses the affected SharePoint versions, take the following actions as described in the Microsoft guidance:

1. Install the security updates for the relevant SharePoint version.
2. Ensure the wider security updates from the July 2025 Security Update have been installed.
3. Ensure Antimalware Scan Interface (AMSI) is enabled.
4. Deploy an endpoint security solution, such as Microsoft Defender for Endpoint or equivalent.
5. Rotate SharePoint Server machine keys and restart Microsoft Internet Information Services (IIS) to ensure attackers cannot reuse any previously compromised keys after patches have been deployed.
6. Use the Microsoft-provided commands and scripts to check for any signs of prior malicious activity indicating a potential compromise.
7. Check for evidence of malicious activity as described in the CISA advisory as advised and maintained in the Microsoft guidance.
   ‍

Where to find more information

The official Microsoft post contains up-to-date information on information and security updates affecting CVE-2025-53770 and CVE-2025-53771.

Microsoft post on Sharepoint vulnerability

Advisories from NCSC and CISA:

• ‍https://www.ncsc.gov.uk/news/active-exploitation-of-vulnerability-affecting-microsoft-office-sharepoint-server-products-in-the-uk‍
• https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770

Additional sources of information:

• Unit 42 Analysis with IoCs
• SentinelOne blog post describing the attack chain and IOCs.

‍