CISA Urges Immediate Action to Patch Critical Microsoft SharePoint Flaw

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft SharePoint flaw to its Known Exploited Vulnerabilities catalog, urging immediate patching. The flaw, tracked as CVE-2025-53770, is actively being exploited in the wild and affects on-premises SharePoint Servers.

Main Content

CISA Adds Critical SharePoint Vulnerability to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft SharePoint vulnerability, tracked as CVE-2025-53770 (“ToolShell”), to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability has a CVSS score of 9.8 and is under active exploitation.

Emergency Updates Released by Microsoft

Microsoft recently released emergency updates for two zero-day flaws in SharePoint, identified as CVE-2025-53770 and CVE-2025-53771. These vulnerabilities, collectively referred to as “ToolShell,” have been exploited since July 18, 2025. Both flaws affect on-premises SharePoint Servers and can be chained for unauthenticated, remote code execution.

Vulnerability Details

The vulnerability CVE-2025-53770 involves the deserialization of untrusted data in on-premises Microsoft SharePoint Server. This flaw allows unauthorized attackers to execute code over a network. The issue was discovered by Viettel Cyber Security via Trend Micro’s Zero Day Initiative (ZDI).

Microsoft has acknowledged the active exploitation of this vulnerability:

“Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.” ¹

Mitigation Recommendations

Microsoft recommends enabling AMSI integration and deploying Microsoft Defender across all SharePoint Server farms to protect against this vulnerability. The company has also confirmed that the bug affects only on-premises SharePoint servers, not SharePoint Online in Microsoft 365.

Related Vulnerabilities

The vulnerability CVE-2025-53770 is a variant of a spoofing flaw tracked as CVE-2025-49706, which was addressed in the July 2025 Patch Tuesday updates. Microsoft is developing a full patch for CVE-2025-53770 and has provided mitigations and detections in the meantime.

Active Exploitation and Detection

Attackers are exploiting the SharePoint flaw to run commands pre-authentication by abusing object deserialization. They use stolen machine keys to persist and move laterally, making detection difficult without deep endpoint visibility. Security researchers from Eye Security and Palo Alto Networks have warned of attacks combining two SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a chain called “ToolShell.”

Global Impact and Recommendations

Eye Security scanned over 8,000 SharePoint servers worldwide and discovered dozens of systems actively compromised. They recommend patching and performing compromise assessments for affected systems.

According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the due date to protect their networks. CISA has ordered federal agencies to fix the vulnerabilities by July 21, 2025. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure.

Conclusion

The immediate patching of the critical Microsoft SharePoint vulnerability CVE-2025-53770 is crucial for both federal agencies and private organizations. With active exploitation ongoing, implementing the recommended mitigations and staying vigilant is essential to protect against potential attacks.

References

1. Microsoft Security Response Center (2025). “Customer Guidance for SharePoint Vulnerability CVE-2025-53770” ↩︎