Microsoft Releases Emergency SharePoint Patches for ToolShell Attacks

TL;DR

Microsoft has issued emergency patches for two zero-day vulnerabilities in SharePoint, which are being actively exploited in attacks known as “ToolShell.” These vulnerabilities affect on-premises SharePoint Servers and can lead to unauthenticated remote code execution. Users are urged to apply the patches and follow mitigation guidelines to protect their systems.

Main Content

Microsoft Addresses Critical SharePoint Vulnerabilities

Microsoft has released emergency updates for two zero-day vulnerabilities in SharePoint, identified as CVE-2025-53770 and CVE-2025-53771. These vulnerabilities have been exploited since July 18 in a series of attacks dubbed “ToolShell”¹.

Vulnerability Details

Both vulnerabilities specifically impact on-premises SharePoint Servers. Security researchers warn that threat actors could chain these flaws to achieve unauthenticated remote code execution.

• CVE-2025-53770: This vulnerability, with a CVSS score of 9.8, involves the deserialization of untrusted data. An unauthorized attacker could exploit this flaw to execute code over a network. The issue was discovered by Viettel Cyber Security via Trend Micro’s ZDI ².

• CVE-2025-53771: This flaw, with a CVSS score of 6.3, is a SharePoint spoofing vulnerability caused by improper path restrictions. It was reported by an anonymous researcher and is linked to previous vulnerabilities CVE-2025-49704 and CVE-2025-49706, which can be chained with CVE-2025-53770 for remote code execution ³.

Active Exploitation and Mitigation

Microsoft has confirmed that CVE-2025-53770 is being actively exploited in the wild. The company is developing a full patch and has provided mitigation guidelines:

“Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.” ⁴

Microsoft recommends enabling AMSI integration and deploying Microsoft Defender across all SharePoint Server farms to protect against these vulnerabilities.

ToolShell Attacks

Security researchers from Eye Security and Palo Alto Networks have warned of attacks combining multiple SharePoint flaws, including CVE-2025-49706 and CVE-2025-49704, in a chain called “ToolShell.”

Eye Security reported:

“On the evening of July 18, 2025, Eye Security identified active, large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, dubbed ToolShell, demonstrated just days ago on X. This exploit is being used in the wild to compromise on-premise SharePoint servers across the world.” ⁵

Conclusion

The recent SharePoint vulnerabilities highlight the ongoing threat of cyber attacks targeting enterprise systems. Organizations are advised to apply the emergency patches and follow Microsoft’s mitigation guidelines to safeguard their SharePoint Servers. Staying vigilant and proactive in cybersecurity measures is crucial to prevent potential breaches and data loss.

Additional Resources

For further insights, check:

• Microsoft Security Response Center
• Trend Micro’s Zero Day Initiative
• Eye Security Research

References

1. Security Affairs (2025). “Microsoft issued emergency patches for SharePoint zero-days exploited in ToolShell attacks”. Security Affairs. Retrieved 2025-07-22. ↩︎

2. Microsoft Security Response Center (2025). “CVE-2025-53770”. Microsoft. Retrieved 2025-07-22. ↩︎

3. Microsoft Security Response Center (2025). “CVE-2025-53771”. Microsoft. Retrieved 2025-07-22. ↩︎

4. Microsoft Security Response Center (2025). “Customer Guidance for SharePoint Vulnerability CVE-2025-53770”. Microsoft. Retrieved 2025-07-22. ↩︎

5. Eye Security (2025). “SharePoint Under Siege”. Eye Security. Retrieved 2025-07-22. ↩︎