Microsoft Warns of Critical SharePoint Zero-day Vulnerability

Microsoft is racing to contain a fast‑moving zero‑day campaign against on‑premises SharePoint Server after researchers uncovered a flaw now tracked as CVE‑2025‑53770 and nicknamed “ToolShell.” The vulnerability, rated CVSS 9.8, stems from unsafe deserialization in SharePoint’s ASP.NET framework and lets an unauthenticated attacker run arbitrary code over the network; once inside, the threat actor plants a lightweight web‑shell (ToolShell) that opens full command execution, credential dumping and lateral‑movement pathways .

Exploitation began in mid‑July and has already breached more than 75 organisations worldwide, including financial‑services firms, defence contractors and two European universities, according to telemetry shared with SecurityWeek and The Hacker News. Eye Security’s internet scans show dozens of compromised servers beaconing to a cluster of IPs in Russia and Vietnam, suggesting the campaign is both automated and opportunistic. SharePoint Online in Microsoft 365 is unaffected; the danger is confined to self‑hosted SharePoint 2016, 2019 and Subscription Edition.

When Microsoft issued its July Patch Tuesday bundle, researchers quickly proved that CVE‑2025‑49706 (fixed that day) could be bypassed; ToolShell is that bypass. Microsoft has since shipped out‑of‑band fixes for SharePoint Subscription Edition and SharePoint 2019, but SharePoint 2016 remains unpatched while engineers “finish validation.” The company’s guidance urges admins to:

• install July 2025 security updates (where available);
• enable AMSI scanning and Defender for Endpoint;
• rotate ASP.NET machine keys;
• block or closely monitor strange requests to /_layouts/15/.aspx resources, which attackers exploit for payload delivery .

Because a universal patch is not ready, Microsoft and CISA instruct organisations to remove vulnerable servers from the public internet or apply a PowerShell script that disables remote procedure calls to vulnerable endpoints and enforces strict request filtering. CISA has added CVE‑2025‑53770 to its Known Exploited Vulnerabilities catalogue, giving U.S. federal agencies 48 hours to apply mitigations or disconnect affected servers.

Anatomy of the attack

1. Initial access: the attacker sends a crafted SOAP request that triggers unsafe deserialization, achieving code execution as the SharePoint service account.
2. Payload drop: a small ASPX file (“ToolShell.aspx”) lands in /_layouts/15 and phones home.
3. Privilege escalation: system tokens are stolen; attackers scour the server for web.config files containing passwords.
4. Lateral movement & data theft: encrypted secrets are exfiltrated; some victims saw outbound traffic to Teams and OneDrive APIs, indicating wider M365 abuse .

Indicators of compromise published by SOCRadar include SHA‑256 hashes of the web‑shell, malicious user‑agent strings (“toolshell‑loader/1.3”) and command‑and‑control ranges 94.103.9[.]0/24 and 193.23.181[.]0/24 . Detect‑hunters should also look for scheduled tasks invoking mshta.exe, powershell -enc blobs and unusual IIS worker‑process spawns.

What to do now

• Patch if you can: Subscription Edition and 2019 admins should apply Microsoft’s out‑of‑band updates immediately.
• Mitigate if you can’t: 2016 shops must implement Microsoft’s PowerShell hardening script, enable AMSI, and block internet exposure until a fix ships.
• Hunt aggressively: query server logs for the ToolShell IOC set, review outbound traffic for odd DNS or HTTP destinations, and rotate all credentials stored inside SharePoint.
• Prepare for follow‑on attacks: ToolShell backdoors have been used to deploy Cobalt Strike, Bughatch and ransomware loaders within hours of initial compromise.

With proof‑of‑concept exploits circulating in Telegram channels and GitHub gists, defenders have little time to spare. Until Microsoft finalises the SharePoint 2016 patch, the safest posture is “isolate, harden and hunt.” As CISA’s weekend alert warns, leaving an unpatched SharePoint server online today is “the digital equivalent of posting admin passwords on your website.”