Microsoft has recently issued an urgent security patch in response to active attacks targeting on-premises SharePoint Server installations. These attacks exploit critical vulnerabilities, specifically CVE-2025-53770 and CVE-2025-53771, which allow unauthenticated remote code execution and spoofing, respectively. The vulnerabilities do not affect SharePoint Online within Microsoft 365. (msrc.microsoft.com)
The exploitation of these vulnerabilities, collectively referred to as "ToolShell," has been observed since at least July 18, 2025. Attackers have been able to gain full access to SharePoint content, including file systems and internal configurations, by deploying web shells and exfiltrating cryptographic secrets. Notably, Chinese state-sponsored groups such as Linen Typhoon and Violet Typhoon have been implicated in these attacks, targeting organizations using self-hosted SharePoint servers for espionage and intellectual property theft. (axios.com)
In response, Microsoft has released security updates for SharePoint Server Subscription Edition and SharePoint Server 2019. Administrators are strongly advised to apply these updates immediately. For SharePoint Server 2016, a patch is currently under development. In the interim, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) and deploying Defender Antivirus on all SharePoint servers. If enabling AMSI is not feasible, disconnecting the server from the internet is advised. Additionally, rotating SharePoint server ASP.NET machine keys and restarting IIS on all SharePoint servers are critical steps to mitigate potential exploitation. (msrc.microsoft.com)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating that Federal Civilian Executive Branch agencies apply the fixes by July 21, 2025. Organizations are urged to review Microsoft's security advisory and implement the recommended mitigations promptly to protect their systems from these active threats. (cisa.gov)
Given the severity of these vulnerabilities and the active exploitation by sophisticated threat actors, it is imperative for organizations using on-premises SharePoint Server to act swiftly. Applying the latest security updates, enabling AMSI, deploying Defender Antivirus, and rotating machine keys are essential steps to safeguard against potential breaches. Continuous monitoring and adherence to Microsoft's guidance will be crucial in mitigating the risks associated with these vulnerabilities.
Source: Social News XYZ Microsoft issues urgent security patch after ‘active attacks’ on document-sharing software - Social News XYZ
