Microsoft has issued a warning regarding a critical vulnerability in on-premises SharePoint servers, which is currently being exploited by hackers. This vulnerability allows unauthorized remote code execution, granting attackers access to SharePoint content, internal configurations, and file systems. The flaw, designated as CVE-2025-53770 and also known as ‘ToolShell,’ poses significant risks, including the potential for attackers to bypass authentication and identity controls.
Microsoft has urged SharePoint administrators to promptly apply updates for SharePoint Server Subscription Edition and SharePoint Server 2019, released in July 2025. An update for SharePoint 2016 is forthcoming, while SharePoint Online in Microsoft 365 remains unaffected. In the meantime, Microsoft recommends several mitigation steps, such as using supported SharePoint Server versions, applying the latest security updates, enabling the Antimalware Scan Interface (AMSI), and deploying Microsoft Defender for Endpoint protection.
The US Cybersecurity and Infrastructure Security Agency (CISA) has provided additional guidance, including configuring AMSI in SharePoint, deploying Defender Antivirus, and disconnecting vulnerable products from the internet if AMSI cannot be enabled. Organizations are advised to monitor specific IP addresses and update intrusion prevention systems to block exploit patterns.
Cybersecurity experts emphasize the unprecedented risk posed by this vulnerability, highlighting the potential for data theft and credential harvesting. Immediate action is crucial to mitigate the threat, as the consequences of inaction could be severe.
