A critical security breach is currently targeting Microsoft SharePoint servers, prompting CERT-In (the Indian Computer Emergency Response Team) to issue urgent alerts to users. The vulnerability is under active exploitation, requiring immediate action to safeguard systems.

Scope of the Breach

The vulnerability primarily affects on-premises SharePoint servers, specifically SharePoint Server 2019, SharePoint Enterprise Server 2016, and the Subscription Edition. The cloud-based SharePoint Online (part of Microsoft 365) is not affected. This ongoing attack has already compromised thousands of SharePoint servers globally, impacting major industrial firms, banks, auditors, healthcare companies, government entities, universities, and energy companies. Agencies like the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) have been affected.

The Vulnerabilities

The primary vulnerability being exploited is tracked as CVE-2025-53770. It's a zero-day flaw, meaning it was previously unknown to Microsoft and security professionals, allowing attackers to exploit it before a patch was available. CVE-2025-53770 is related to a previously disclosed vulnerability, CVE-2025-49704. Attackers chain CVE-2025-49704 and CVE-2025-49706 together to execute arbitrary commands on vulnerable Microsoft SharePoint instances. Microsoft has also announced a fourth SharePoint vulnerability assigned CVE-2025-53771.

These vulnerabilities allow unauthenticated remote code execution, meaning attackers can run malicious code on the server without needing a username or password. This is achieved through deserialization of untrusted data, exploiting how SharePoint handles data input. Successful exploitation could allow attackers to execute arbitrary code, access sensitive data, or perform spoofing attacks on the targeted system.

How the Attack Works

The attack, sometimes referred to as "ToolShell," involves a chain of sophisticated exploits. The stages include:

• Uncontrolled deserialization: Attackers send malicious code, disguised as data, to the SharePoint server.
• Path traversal and spoofing: These techniques are used to bypass security measures like multi-factor authentication (MFA) and single sign-on (SSO), allowing attackers to gain higher-level access.
• Key exfiltration: Attackers steal cryptographic keys, which are used to secure data and authenticate users. This allows them to maintain persistent access to the compromised system, even after patches are applied.

With these stolen keys, attackers can forge valid payloads that SharePoint will accept as valid, enabling seamless remote code execution.

Attribution

Microsoft has attributed the exploits to multiple groups with ties to the Chinese state: Linen Typhoon, Violet Typhoon, and Storm-2603. These groups have been associated with activities ranging from industrial espionage and military intelligence gathering to ransomware deployment.

Risks and Impact

The vulnerabilities expose organizations to serious operational risks:

• Lateral movement: Attackers can use the compromised SharePoint server to access other systems on the network, including integrated services like Office, Teams, and OneDrive.
• Data exfiltration: Sensitive documents, confidential data, and access to critical infrastructure can be stolen.
• Ransomware: Persistent backdoors created by the attackers can be used to deploy ransomware, encrypting data and demanding payment for its release.

Mitigation and Remediation

CERT-In and Microsoft recommend the following immediate actions:

• Apply security updates: Microsoft has released emergency patches for supported versions of SharePoint Server (Subscription Edition, 2019, and 2016).
• Rotate cryptographic keys: Due to the key exfiltration, it's crucial to rotate all cryptographic keys and ValidationKeys. Patching alone is not enough.
• Isolate affected servers: If your SharePoint Server is accessible via the internet, consider isolating the affected instance until patching and threat hunting exercises are complete.
• Threat hunting: Look for indicators of compromise (IOCs) such as suspicious files, network traffic, and PowerShell activity.
• Conduct thorough audits: Check for web shells and other malicious code that may have been installed by the attackers.
• Enable AMSI and deploy Defender AV: These security tools can help detect and prevent exploitation attempts.

This is a developing situation, and it is critical for organizations using on-premises Microsoft SharePoint servers to take immediate action to protect their systems. Continuous monitoring and proactive security measures are essential to mitigate the risks posed by this ongoing security breach.