A critical zero-day vulnerability in Microsoft SharePoint is under mass exploitation, prompting urgent action from organizations worldwide. The vulnerability, identified as CVE-2025-53770, allows unauthenticated remote code execution on affected SharePoint servers due to the deserialization of untrusted data. Microsoft has released emergency patches to address this actively exploited flaw, along with a related vulnerability, CVE-2025-53771.

The mass exploitation of these vulnerabilities began around July 18, 2025, with attackers planting shells on compromised SharePoint servers to leak sensitive data and gain complete remote access. Victims include federal and state agencies, universities, and energy companies, highlighting the widespread impact of this threat. Cybersecurity experts warn that any organization with an internet-exposed SharePoint server should assume it has been compromised.

The attack chain, dubbed "ToolShell" by researcher Khoa Dinh, involves exploiting CVE-2025-53770 in conjunction with previously patched vulnerabilities CVE-2025-49704 and CVE-2025-49706. These vulnerabilities were initially disclosed at Pwn2Own Berlin, where researchers demonstrated how they could be chained together to gain unauthorized access. The ToolShell attack chain leverages a logic flaw in the Referer header validation, allowing attackers to bypass authentication and execute arbitrary code by sending a crafted POST request to the URI /layouts/15/ToolPane.aspx?DisplayMode=Edit.

Microsoft has confirmed that the zero-day vulnerability impacts on-premises Microsoft SharePoint Servers. SharePoint Online for Microsoft 365 is not affected. Emergency patches have been released for SharePoint Subscription Edition and SharePoint Server 2019, with updates for version 2016 also expected.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to apply mitigations immediately. CISA recommends enabling AMSI integration in SharePoint and deploying Microsoft Defender Antivirus on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available.

Security researchers have observed attackers evolving their tactics to be stealthier, using in-memory ToolShell payloads to extract ASP.NET machine keys directly from memory without leaving behind static artifacts. This makes traditional detection methods, such as checking for web shells, unreliable.

Given the active exploitation and potential for significant damage, organizations using on-premises Microsoft SharePoint Server are urged to take immediate action. This includes applying the security updates released by Microsoft, rotating cryptographic keys, and investigating for any signs of compromise. Taking SharePoint systems offline until they can be updated is also recommended. CrowdStrike recommends organizations rotate cryptographic keys and engage professional incident response services.