The recent discovery and exploitation of a critical SharePoint vulnerability, designated CVE-2025-53770, has escalated into a global cybersecurity crisis. Initially reported as a zero-day vulnerability, the flaw has proven to be far more dangerous than expected. Threat actors have already leveraged the exploit to breach tens of thousands of on-premises SharePoint servers across various sectors, including government agencies, financial institutions, and universities. The attack, which requires no authentication, allows malicious actors to execute remote code via specially crafted requests. These exploits are being delivered through a method dubbed “ToolShell,” which chains vulnerabilities to gain unauthorized access and plant persistent backdoors.
Security researchers and federal cybersecurity agencies have emphasized the stealthy nature of these attacks. Not only can attackers upload ASPX web shells, but they are also stealing cryptographic machine keys, allowing them to forge valid authentication tokens and remain undetected even after servers are patched. As a result, many organizations that applied Microsoft’s security updates discovered the attackers could still return. The implications go beyond the typical patch-and-forget cycle, requiring deeper forensic cleanup and key rotation to fully eliminate the threat.
Microsoft has issued emergency updates for affected versions, including SharePoint 2019 and the Subscription Edition, while SharePoint 2016 users still await a full patch. Meanwhile, CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and urged all affected organizations to isolate or disconnect unpatched SharePoint servers from the internet immediately. AMSI (Antimalware Scan Interface) and Microsoft Defender are being recommended as frontline mitigations, though these are not substitutes for the patch itself.
The situation has prompted collaboration between Microsoft, U.S. cybersecurity agencies, and global partners as they assess the extent of the damage. With attackers leveraging stolen machine keys for long-term access, and with public-facing enterprise systems as their entry point, the SharePoint flaw is being compared to major past breaches like Hafnium and SolarWinds in terms of impact and scale. Organizations are strongly encouraged to not only patch but also audit logs, rotate machine keys, scan for web shells, and report incidents to their national cybersecurity bodies.
Sources:
- Microsoft alerts businesses, governments to server software attack
https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-alerts-businesses-governments-server-software-attack-2025-07-21/ - Global hack on Microsoft product hits U.S., state agencies, researchers say
https://www.washingtonpost.com/technology/2025/07/20/microsoft-sharepoint-hack/ - Critical Microsoft SharePoint Flaw Exploited to Breach Over 75+ Servers
https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html - Microsoft SharePoint zero-day breach hits 75 servers: Here’s what the company said
https://timesofindia.indiatimes.com/technology/tech-news/microsoft-sharepoint-zero-day-breach-hits-75-servers-heres-what-the-company-said/articleshow/122805393.cms - Customer Guidance for SharePoint Vulnerability CVE-2025-53770
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
