{"id":27800,"date":"2025-07-22T16:54:39","date_gmt":"2025-07-22T14:54:39","guid":{"rendered":"https:\/\/perseus.de\/critical-vulnerability-in-microsoft-sharepoint\/"},"modified":"2026-03-31T07:15:34","modified_gmt":"2026-03-31T05:15:34","slug":"critical-vulnerability-in-microsoft-sharepoint","status":"publish","type":"post","link":"https:\/\/perseus.de\/en\/critical-vulnerability-in-microsoft-sharepoint\/","title":{"rendered":"Critical vulnerability in Microsoft SharePoint"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
21.07.2025<\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Critical vulnerability in Microsoft SharePoint \n\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

We would like to draw your attention to a currently exploited<\/span> security vulnerability in Microsoft SharePoint <\/b>, which poses considerable risks for systems operated exclusively locally (“on-premises”). <\/span> <\/p>

The<\/span> U.S. cybersecurity agency CISA<\/span><\/a> and Microsoft itself report <\/span>active attacks on systems<\/b> that exploit the CVE-2025-53770 vulnerability \u2013 also <\/span>known as “ToolShell”.<\/span><\/a> Below you will find an overview of the incident as well as concrete measures you can take to secure your systems.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What happened?<\/b><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The <\/span>CVE-2025-53770 vulnerability<\/span><\/a> allows attackers to access SharePoint servers without logging in (“unauthenticated”) and <\/span>to execute arbitrary code over the network (= RCE \u2192 Remote Code Execution).<\/b> It is a variant of the already known <\/span>CVE-2025-49706<\/span><\/a> vulnerability and is based on faulty <\/span>deserialization<\/b> \u2013 a technical process in which data is converted into a readable format. If this is insufficiently secured, malicious code can be introduced and executed.<\/span><\/p>

The attackers can gain complete access to the server and then to the infrastructure behind it, including file storage, configuration, and sensitive content. The incident only affects <\/span>local SharePoint installations<\/b> \u2013 <\/span>SharePoint Online (Microsoft 365) is not affected, according to Microsoft<\/b>.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What is affected?<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The vulnerability only affects companies that <\/span> operate Microsoft SharePoint locally (on-premises<\/b>).<\/span><\/p>

Specifically, the following versions are at risk:<\/span><\/p>