A critical zero-day vulnerability, CVE-2025-53770, in Microsoft SharePoint Server is actively being exploited, posing a significant security threat to organisations using on-premises SharePoint environments. The sophisticated “ToolShell” campaign allows remote code execution, system compromise, and persistent backdoor access, even bypassing multi-factor authentication.
The severity of the situation is heightened as these attacks began before any security patches were available. Microsoft has advised organisations to assume their systems may already be compromised and to conduct thorough investigations to ensure integrity. Notably, SharePoint Server 2016 installations face challenges due to the absence of technical fixes, prompting reliance on breach and attack simulation to assess exposure.
Multiple threat actors, including groups linked to China, are exploiting this vulnerability, with expectations of more joining as awareness spreads. Attackers have been observed installing webshells and exfiltrating sensitive data, leading to unauthenticated, long-term access to targeted systems.
Microsoft’s emergency guidance indicates that only on-premises versions of SharePoint Server are affected, while SharePoint Online remains secure. Immediate action is recommended for those using on-premises servers exposed to the internet, including implementing mitigations and preparing for an emergency patch.
Organisations are urged to remain vigilant, apply mitigations quickly, and conduct thorough investigations to defend against this expanding threat. Building resilience and continuously reviewing security measures are essential as more actors exploit the vulnerability.
