Microsoft reports on-premise SharePoint vulnerability under active attack
Take action: If you have on-premises SharePoint servers, immediately patch the Sharepoint and enable AMSI integration and install Microsoft Defender Antivirus on all SharePoint system for extra layer of security. If you can't patch, isolate the system from the internet or just shut it down. There is an active exploitation and servers are being hacked.
Learn More
Microsoft has issued an urgent security alert about a vulnerability in on-premises SharePoint Server installations that is being actively exploited by threat actors in the wild.
The vulnerability, tracked as CVE-2025-53770 (CVSS score 9.8) is caused by a deserialization flaw and untrusted data processing allowing unauthorized attackers to execute arbitrary code remotely.
Security researchers have identified this exploit as part of a sophisticated attack campaign dubbed "ToolShell," which enables attackers to gain complete remote control over vulnerable SharePoint systems.
Eye Security, a Dutch cybersecurity firm, first identified active exploitation of this vulnerability on July 18, 2025, describing it as one of the most rapid transitions from proof-of-concept to mass exploitation observed in recent cybersecurity history. The vulnerability chain combines critical security flaws originally demonstrated at Pwn2Own Berlin 2025 in May by researchers from CODE WHITE GmbH, a German offensive security company.
Security researchers have identified that successful exploitation typically results in the creation of a malicious file named "spinstall0.aspx" within SharePoint's template layouts directory. This file can be used as an early indicator of compromise for security teams monitoring for attacks.
The vulnerability affects multiple versions of on-premise Microsoft SharePoint Server. The affected products include:
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
Microsoft 365 SharePoint Online services are not impacted by this vulnerability. As of 19th of July 2025, Microsoft is preparing a patch and advising users to implement mitigation measures.
- Configure AMSI (Anti-Malware Scan Interface) integration within SharePoint environments
- Deploy Microsoft Defender Antivirus on all SharePoint servers.
Apparently, this configuration effectively prevents unauthenticated attackers from successfully exploiting the vulnerability.
AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For organizations unable to enable AMSI integration, Microsoft recommends removing internet access from SharePoint servers as an alternative protective measure.
Update - As of 21st of July 2025, Microsoft has released emergency patches for SharePoint Server 2019 and the Subscription Edition. Later the same day the security update for SharePoint Server 2016 is also released. Patches for all supported versions of SharePoint are now available.
Customers running Sharepoint Server on-premise should install the available updates immediately. If this is not possible, Microsoft recommends temporarily disconnecting the affected servers from the internet.
As of 22nd of July 2025, Check Point Research reports that CVE-2025-53770 has been actively exploited since July 7, 2025. The attacks initially targeting a major Western government and later expanding to telecommunications and software sectors across North America and Western Europe. The campaign chains the critical remote code execution flaw with a spoofing vulnerability (CVE-2025-49706) and originates from three IP addresses. One of the addresses was previously linked to Ivanti attacks.
Microsoft reports exploitation of CVE-2025-53771 (patch bypass for CVE-2025-49706), and CVE-2025-53770 (patch bypass for CVE-2025-49704).
Microsoft and Google report that Chinese state-backed hacking groups including "Linen Typhoon," "Violet Typhoon," and "Storm-2603" have been actively exploiting the critical SharePoint zero-day vulnerability (CVE-2025-53770) since July 7, 2025, targeting intellectual property theft, espionage, and conducting ransomware attacks. Security researchers warn that dozens of organizations including government agencies have been compromised.
As of 23rd of July 2024, researchers report that threat actors have compromised over 400 organizations globally, including the US Department of Energy and National Nuclear Security Administration (NNSA), by exploiting the SharePoint zero-day vulnerabilities/ The campaign targeted on-premises SharePoint servers across government agencies, telecommunications, and software sectors worldwide.
As of 27th of July 2024, researchers report that the attacks combine the older CVE-2025-49704 and CVE-2025-49706 with the two newer variants, CVE-2025-53770 and CVE-2025-53771.
