Microsoft issued an urgent warning on Saturday to SharePoint Server customers, saying active attacks are targeting a zero-day vulnerability in the software product, which has been assigned CVE-2025-53770 with a CVSS score of 9.8.
A patch is currently not available for the flaw, dubbed “ToolShell“, which Microsoft says is a variant of CVE-2025-49706.
The Redmond, Washington-based tech giant said a security update is currently in the works and provided mitigation instructions and detection guidance. Security teams should take immediate action to implement mitigations in the meantime.
“Google Threat Intelligence Group has observed threat actors exploiting this vulnerability to install webshells and exfiltrate cryptographic secrets from victim servers,” a Google Spokesperson told SecurityWeek. “This allows for persistent, unauthenticated access and presents a significant risk to affected organizations.”
Researchers at Eye Security say they discovered “dozens of systems actively compromised,” which they say likely occurred in attacks around of July 18th around 18:00 CET and July 19th around 07:30 CET.
The Palo Alto Networks Unit42 team said on Saturday that it also has seen active exploitation of vulnerabilities for CVE-2025-49704 and CVE-2025-49706 that affect Microsoft SharePoint.
“To protect your on-premises SharePoint Server environment, we recommend customers configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability,” Microsoft explained it its advisory.
“Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions,” commented Charles Carmakal, CTO, Mandiant Consulting – Google Cloud.
Microsoft said it would provide updates and additional guidance as they become available.
CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on Sunday, July 20th.
SecurityWeek will update this article and provide additional coverage as details evolved.
UPDATE, July 21: Microsoft has assigned a second CVE identifier, CVE-2025-53771, and it has started releasing patches for the ToolShell zero-days.
UPDATE, July 22: The first attack waves, which targeted high-value organizations, have been linked to China.
Helpful links and resources for CVE-2025-53770 and CVE-2025-53771:
- Microsoft guidance for SharePoint vulnerability CVE-2025-53770
- SharePoint Under Siege: ToolShell Mass Exploitation (Blog from Eye Security)
- How Configure AMSI integration with SharePoint Server (Microsoft)
- Palo Alto Networks Threat Intel on CVE-2025-49704 and CVE-2025-49706
- CISA Advisory on SharePoint Vulnerability (CVE-2025-53770)
