In July 2025, Microsoft disclosed a critical zero-day vulnerability in its on-premises SharePoint Server, identified as CVE-2025-53770. This flaw, with a CVSS score of 9.8, allows unauthenticated remote code execution, enabling attackers to gain full control over affected servers. The vulnerability affects SharePoint Server 2016, 2019, and the Subscription Edition, while SharePoint Online remains unaffected.
The exploitation of CVE-2025-53770, dubbed "ToolShell," involves attackers sending specially crafted requests to vulnerable SharePoint endpoints, leading to the execution of arbitrary code. Notably, the attack chain includes the deployment of a malicious ASPX file named "spinstall0.aspx," which extracts cryptographic keys from the server. With these keys, attackers can forge valid authentication tokens, maintaining persistent access even after patches are applied. (research.eye.security)
Microsoft has acknowledged active exploitation of this vulnerability and has provided interim mitigation measures. Administrators are advised to enable Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers. If enabling AMSI is not feasible, disconnecting the server from the internet is recommended until a security update becomes available. (msrc.microsoft.com)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, urging organizations to apply mitigations promptly. Security researchers have observed widespread exploitation, with attackers targeting sectors such as government, telecommunications, education, and critical infrastructure. (cisa.gov)
Given the severity and active exploitation of this vulnerability, organizations using on-premises SharePoint servers should implement Microsoft's recommended mitigations immediately. Additionally, conducting thorough security assessments to detect any signs of compromise is crucial to prevent potential data breaches and maintain system integrity.
Source: theregister.com Another massive security snafu hits Microsoft