A serious security flaw in Microsoft’s SharePoint software has led to widespread cyberattacks impacting over 75 organisations globally, including governments and major corporations. The vulnerability affects only on-premises SharePoint servers and grants attackers unauthorised full control.
Designated CVE-2025-53770 and known as part of the “ToolShell” exploit chain, this zero-day flaw arises from unsafe deserialization of untrusted data, enabling remote code execution without authentication.
Attackers use it to inject malicious code, install persistent web shells, steal cryptographic keys, and move laterally within networks while impersonating legitimate users. A related vulnerability, CVE-2025-53771, allows authentication bypass by manipulating HTTP headers, boosting the attackers’ capabilities.
Microsoft has released urgent patches for all supported on-premises SharePoint versions, including SharePoint Server 2016. However, security experts warn that hackers may retain access even after patching by abusing stolen cryptographic keys, which are not automatically updated during fixes. Comprehensive incident response is therefore essential.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation and urged organisations to apply mitigations immediately, such as enabling Microsoft Defender’s Antimalware Scan Interface or temporarily isolating vulnerable servers.
Cybersecurity firms report ongoing attacks since early July 2025, targeting sectors like government and telecommunications across North America and Europe.
Palo Alto Networks’ Unit 42 warned, “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys.”
SharePoint Online, Microsoft’s cloud version, remains unaffected, but with many organisations relying on on-premises setups, the risk is substantial.