Critical Zero-Day in SharePoint Exploited in Global Cyberattack

A serious zero-day vulnerability in Microsoft SharePoint Server is currently being exploited in an ongoing cyberattack campaign that has impacted over 85 servers across at least 54 organizations worldwide. Affected entities include government agencies, multinational corporations, and financial institutions.

The flaw, identified as CVE-2025-53770, has been assigned a CVSS score of 9.8, marking it as critical. The vulnerability enables unauthenticated remote code execution on vulnerable SharePoint installations. As of now, no official patch has been released.

Attack Overview

Security researchers report that the attacks began around July 18, specifically targeting on-premises deployments of SharePoint Server. Victims are located in the United States, Europe, Asia, and Australia.

Microsoft confirmed over the weekend that it is aware of the active exploitation and is working on an emergency security update for affected customers.

Government and Industry Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog and directed federal agencies to implement mitigation measures immediately.

Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA, stated:
“We were made aware of the exploitation by a trusted partner and reached out to Microsoft immediately to take action.”

Dutch cybersecurity firm Eye Security, which initially discovered the exploit in the wild, reported that several affected organizations include banks and national government bodies, primarily located in the United States, Germany, France, and Australia. According to their CTO Piet Kerkhofs, mass exploitation is still underway.

Technical Details

Researchers have referred to the exploit as "ToolShell", a sophisticated variant of an earlier vulnerability, CVE-2025-49706, which Microsoft had patched in July. The flaw results from the deserialization of untrusted data in on-premises SharePoint Server, allowing an attacker to execute code over a network without authentication.

Once exploited, attackers deploy web shells and extract cryptographic keys from compromised SharePoint servers. These keys can be used to generate valid authentication tokens and execute additional commands, giving attackers persistent access even after future updates are applied.

Mitigation Recommendations

Microsoft has issued the following interim guidance:

• Enable Antimalware Scan Interface (AMSI) integration on all SharePoint servers.

• Deploy Microsoft Defender Antivirus if not already installed.

• For organizations unable to implement AMSI, disconnect vulnerable servers from the internet until a patch becomes available.

Microsoft confirmed that SharePoint Online users (Microsoft 365) are not affected by this vulnerability.

Conclusion

This campaign underscores the growing risks associated with unpatched, on-premises infrastructure. Organizations running SharePoint Server locally should implement Microsoft’s recommended mitigations immediately and monitor for unusual activity.

As the threat landscape continues to evolve, staying ahead of zero-day vulnerabilities like CVE-2025-53770 is critical to maintaining security posture.