Microsoft Patches SharePoint Bug, Leaves 2016 Servers Exposed

Microsoft has moved fast to blunt an active exploitation wave targeting on‑premises SharePoint Server, rolling out out‑of‑band fixes for two freshly numbered zero‑days—CVE‑2025‑53770 and the closely related CVE‑2025‑53771—that attackers have been using since mid‑July to hijack corporate portals and plant a web‑shell dubbed ToolShell. The company released security updates late on 19 July for SharePoint Server Subscription Edition (KB 5002768) and SharePoint 2019 (KB 5002754), but confirmed that SharePoint 2016 remains unpatched while the update “finishes validation.”

ToolShell abuses an unsafe‑deserialisation flaw inside SharePoint’s ASP.NET workflow engine. An unauthenticated attacker can send one crafted SOAP request to a publicly exposed server and immediately run arbitrary code as the SharePoint service account—no credentials, no multifactor prompts. From there the intruder drops a 9 KB ASPX file (ToolShell.aspx) into /_layouts/15/, giving full command execution, credential dumping and lateral‑movement ability across the Windows domain. Eye Security telemetry shows the technique has already breached at least 75 organisations worldwide, including financial firms, a defence supplier and two European universities.

Patch status at a glance

Microsoft stresses that SharePoint Online (Microsoft 365) is not affected, and all activity seen to date targets self‑hosted deployments.

Mandatory mitigations for 2016 shops

Until the 2016 fix lands, Redmond and CISA both recommend a three‑step defensive stance:

1. Run Microsoft’s PowerShell hardening script to disable RPC endpoints exploited by ToolShell and enforce strict request filtering.
2. Enable AMSI scanning (Defender or equivalent) on every SharePoint server to block malicious requests before they reach IIS.
3. Rotate ASP.NET machine keys after any security change—and again once the final patch is applied—to invalidate stolen session cookies.

CISA has added CVE‑2025‑53770 to its Known Exploited Vulnerabilities (KEV) catalogue, giving U.S. federal agencies 48 hours to apply the available updates or disconnect vulnerable servers.

How the attack unfolds

Initial access: a single SOAP envelope triggers the deserialization bug.
Payload drop: ToolShell.aspx lands under the LAYOUTS path.
Privilege escalation & spread: the shell dumps LSASS, harvests passwords inside web.config files and spawns encoded PowerShell to fan out across the network.
Post‑exploitation: defenders have observed Cobalt Strike, Bughatch and even ransomware loaders within hours of first compromise.

Hunt teams should look for:

• newly created ToolShell.aspx, spinstall0.aspx or similarly named files in /_layouts/15 or /_layouts/16;
• IIS worker processes (w3wp.exe) launching PowerShell ‑enc commands;
• outbound traffic to C2 ranges 94.103.9[.]0/24 and 193.23.181[.]0/24 or the user‑agent string toolshell‑loader/1.3.

For admins, here’s what to do urgently

1. Patch today if you run Subscription Edition or 2019; reboot and verify the build numbers.
2. Deploy Microsoft Defender for Endpoint (or equivalent) and import the new threat signatures (Exploit:Script/SuspSignoutReq.A, Trojan:Win32/HijackSharePointServer.A).
3. Audit logs for past exploitation going back to 18 July; many victims were breached before patches existed.
4. Educate IT staff: any externally facing SharePoint server without these fixes is “the digital equivalent of posting admin passwords on your website,” CISA warns.

Microsoft says the SharePoint 2016 patch is “days, not weeks” away. Until it ships, isolating the server or enforcing Microsoft’s script is the only safe course. With proof‑of‑concept exploits now circulating on GitHub and Telegram, time is short—and the attackers have a head start.