Urgent Alert: Microsoft SharePoint Zero-Day Vulnerability “ToolShell” Under Active Attack

Overview

Microsoft has just disclosed that a vulnerability in their Microsoft SharePoint Server has been weaponized and is currently being actively exploited in the wild. According to Microsoft, the zero-day vulnerability is being tracked as CVE-2025-53770 and has a CVSS score of 9.8, which means that it has a high potential for major impact.

The Threat

This unauthenticated remote code execution (RCE) vulnerability allows attackers to gain full control over unpatched, on-premise SharePoint servers. Crucially, Microsoft emphasizes that SharePoint Online (part of Microsoft 365) is NOT affected by this specific vulnerability. 

ToolShell Exploitation

On July 18th, Eye Security reported that they had identified an “active, large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, dubbed ToolShell, demonstrated just days ago on X, this exploit is being used in the wild to compromise on-premise SharePoint servers across the world.”  

A Variant of a Recent Patch Tuesday Bug

CVE-2025-53770 is a dangerous variant of CVE-2025-49706, a spoofing bug that Microsoft addressed in its July Patch Tuesday updates. Spoofing vulnerabilities allow attackers to impersonate trusted entities, thereby circumventing security measures to gain unauthorized access, steal sensitive data, or carry out other malicious activities. The fact that this new RCE is a variant suggests attackers are quickly adapting and building upon previously disclosed vulnerabilities.

Widespread Impact 

Over 75 enterprises have already been affected by this active exploitation. While no definitive statements have been made regarding the identities of the victims, sources indicate that major government agencies and global enterprises are among those compromised. This underscores the severity and widespread nature of the attacks.

A Patch Was Just Released

Microsoft has just released emergency security updates for SharePoint Subscription Edition and SharePoint 2019. Patches for SharePoint Server 2016 are still pending. Learn more about the patch here.

Microsoft’s Guidance and Recommendations

Patching alone may not be sufficient so Microsoft has also released urgent guidelines for SharePoint users to help them stay secure. These recommendations include:

• Configure Antimalware Scan Interface (AMSI) integration in SharePoint: AMSI helps to detect and block malicious scripts and other content. Microsoft notes that AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. Organizations should verify this integration is active.
• Deploy Microsoft Defender Antivirus on all SharePoint servers: Defender AV provides detection and protection against components and behaviors related to this threat, specifically identifying Exploit:Script/SuspSignoutReq.A and Trojan:Win32/HijackSharePointServer.A.
• Deploy Microsoft Defender for Endpoint: This solution can detect and block post-exploit activity, providing valuable alerts such as “Possible web shell installation,” “Possible exploitation of SharePoint server vulnerabilities,” and “Suspicious IIS worker process behavior.”
• If AMSI cannot be enabled, disconnect your SharePoint server from the internet: This is a drastic but necessary measure for highly vulnerable systems until a patch becomes available.
• Monitor for specific post-exploitation indicators: Microsoft suggests looking for the creation of spinstall0.aspx as an indicator of successful exploitation of CVE-2025-53770. They provide advanced hunting queries for Microsoft 365 Defender to aid in this detection.

How XM Cyber Can Help with CVE-2025-53770

XM Cyber continually monitors your entire infrastructure. Our research team has developed a technique to help customers identify CVE-2025-53770 within their environments.

With XM Cyber’s NG-External Attack Surface Management (NG-EASM) capability, you can test which external-facing machines are vulnerable to this risk. Utilizing continuous monitoring, automated scanning, and real-time data, XM Cyber NG-EASM can detect and alert you about vulnerable versions of SharePoint. If any are detected, the platform provides step-by-step guidance on how to address them. As this is an emerging situation, we will update this post as more information becomes available.