Critical vulnerability in Microsoft SharePoint

21.07.2025

Critical vulnerability in Microsoft SharePoint

We would like to draw your attention to a currently exploited security vulnerability in Microsoft SharePoint , which poses considerable risks for systems operated exclusively locally (“on-premises”).

The U.S. cybersecurity agency CISA and Microsoft itself report active attacks on systems that exploit the CVE-2025-53770 vulnerability – also known as “ToolShell”. Below you will find an overview of the incident as well as concrete measures you can take to secure your systems.

What happened?

The CVE-2025-53770 vulnerability allows attackers to access SharePoint servers without logging in (“unauthenticated”) and to execute arbitrary code over the network (= RCE → Remote Code Execution). It is a variant of the already known CVE-2025-49706 vulnerability and is based on faulty deserialization – a technical process in which data is converted into a readable format. If this is insufficiently secured, malicious code can be introduced and executed.

The attackers can gain complete access to the server and then to the infrastructure behind it, including file storage, configuration, and sensitive content. The incident only affects local SharePoint installations – SharePoint Online (Microsoft 365) is not affected, according to Microsoft.

What is affected?

The vulnerability only affects companies that operate Microsoft SharePoint locally (on-premises).

Specifically, the following versions are at risk:

SharePoint Server 2016
SharePoint Server 2019
SharePoint Subscription Edition (if not patched)

The cloud version SharePoint Online, which runs on Microsoft 365, is not affected.

The situation is particularly critical if affected servers are directly accessible via the Internet and important protective measures or updates are missing.

How can I protect myself?

Install security updates: Microsoft has now released patches for SharePoint 2019 (patch with the identifier KB5002754) and the Subscription Edition (patch with the identifier KB 5002768). The security update for SharePoint 2016 is currently still in progress. In this case, it is recommended to take immediate protective measures (see below) until the update is released and to install Microsoft’s July security updates at the same time.

Rotate machine keys: After installing the updates, the so-called ASP.NET machine keys must be renewed. These keys are essential for secure communication between system components. Rotation is done via PowerShell or via SharePoint Central Administration. Then a restart of the IIS web server is required.
Enable Antimalware Scan Interface (AMSI): AMSI detects and blocks suspicious scripts at runtime. Make sure AMSI is enabled correctly. This should be enabled by default since September 2023.
Use Microsoft Defender Antivirus and Defender for Endpoint: These security solutions detect known attack patterns and block related activities. Alternatively, comparable endpoint detection and response (EDR) solutions can be used.
Disconnect emergency systems from the network (if AMSI cannot be activated): If AMSI cannot be activated, CISA recommends that public systems be temporarily disconnected from the Internet.
Ensure logging & monitoring: Enable comprehensive logging (event logging) to track unusual behavior. In particular, monitor POST requests to suspicious paths.

From experts for experts:

IT managers should check the following attack patterns in particular:

Presence of the file: /_layouts/15/ToolPane.aspx? DisplayMode=Edit
Accesses from the following IP addresses: 107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147
(in particular between 18 and 19 July 2025)
Alerts in Microsoft Defender such as:
“Possible web shell installation”
“Suspicious IIS worker process behavior”
“HijackSharePointServer” or “SuspSignoutReq” malware detected