SharePoint vulnerability: Global impact
A critical zero-day SharePoint vulnerability is being actively exploited in a widespread cyberattack. Over 85 servers across at least 54 organizations—including government bodies and multinational corporations—have been compromised worldwide. The flaw, CVE-2025-53770, allows remote code execution without authentication and currently has no available patch.
SharePoint vulnerability triggers government response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to act by Monday. CISA’s Acting Executive Assistant Director Chris Butera stated, “CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately.”
Eye Security revealed that victims include multiple governments and banks in the US, Germany, France, and Australia. CTO Piet Kerkhofs reported, “We are still identifying mass exploit waves.”
SharePoint vulnerability: Technical details
Dubbed “ToolShell,” the flaw relates to insecure deserialization in on-premises SharePoint Server. Attackers install web shells and steal cryptographic keys, letting them maintain access even after patches are deployed. The stolen keys can forge authentication tokens for lateral movement.
Microsoft patches and mitigations for SharePoint vulnerability
Microsoft recommends enabling Antimalware Scan Interface (AMSI) and deploying Defender Antivirus on all SharePoint servers. For those unable to use AMSI, disconnecting affected servers from the internet is advised.
SharePoint Online in Microsoft 365 is not affected by this vulnerability.
