Organisations running on-premise instances of Microsoft’s SharePoint collaboration and document management platform should update without delay after multiple reports of an as-yet unidentified party exploiting two newly-uncovered vulnerabilities emerged.
Dubbed ToolShell, the related vulnerabilities, CVE-2025-53770 and CVE-2025-53771 allow for remote code execution (RCE) and server spoofing in SharePoint. They appear to have arisen as variants of an unauthenticated RCE exploit chain in SharePoint that was first demonstrated in May at a Pwn2Own event in Berlin.
The core RCE vuln, CVE-2025-53370, works by enabling the attacker to steal cryptographic keys from vulnerable SharePoint servers, which can then be used to create specially-crafted requests in order to achieve RCE.
“All signs point to widespread, mass exploitation – with compromised government, technology, and enterprise systems observed globally,” watchTowr CEO Benjamin Harris told Computer Weekly via email.
“Attackers are deploying persistent backdoors, and notably, are taking a more sophisticated route than usual: the backdoor retrieves SharePoint’s internal cryptographic keys – specifically the MachineKey used to secure the __VIEWSTATE parameter.
Harris explained: “__VIEWSTATE is a core mechanism in ASP.NET that stores state information between requests. It is cryptographically signed and optionally encrypted using the ValidationKey and DecryptionKey. With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid – enabling seamless remote code execution.”
Over the weekend, Microsoft has been working alongside the US authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), and other partners across the globe, and has urged customers to update SharePoint.
CVE-2025-53770 has also now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue obliging US government bodies to fix it.
Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks, said he was tracking a “high-impact, ongoing threat campaign” against SharePoint servers.
“While cloud environments remain unaffected, on-prem SharePoint deployments – particularly within government, schools, healthcare including hospitals, and large enterprise companies – are at immediate risk,” he said.
“We are currently working closely with [the] Microsoft Security Response Center [MSRC] to ensure that our customers have the latest information and we are actively notifying affected customers and other organisations.”
How the investigation unfolded
ToolShell was first discovered in the wild by the research team at Eye Security, after receiving a CrowdStrike Falcon Endpoint Detection and Response (EDR) alert from an under-attack customer on Friday 18 July.
This alert appeared to flag a brute-force or credential stuffing attack through which the threat actor involved was authenticating to the target system in order to conduct a deeper cyber attack.
However, this proved to be a red herring for, on digging deeper, the Eye team then found that the attacker was conducting their attacks without authenticating at all.
“That’s when we realised we were no longer dealing with a simple credential-based intrusion,” the Eye team wrote. “This wasn’t a brute force or phishing scenario. This was zero-day territory.”
Prior to disclosure, Eye said it scanned over 8,000 SharePoint servers around the world and found dozens of systems had been compromised already in two waves of attacks, the first on 18 July, and the second on 19 July.
Not a theoretical risk
The Eye team said the risk from ToolShell was not a theoretical one, giving attackers the ability to conduct RCE having bypassed identity protections, and enabling them to access SharePoint content, system files and configurations, and conduct lateral movement.
Far more concerning is the fact that patching alone will not mitigate the risk because since the attack chain begins with the theft of cryptographic SharePoint keys, if users do not rotate these secrets right away, they can still be used by the threat actor even if the patch has been properly applied.
“A typical patch will not automatically rotate these stolen cryptographic secrets leaving organisations vulnerable even after they patch. In this case, Microsoft will likely need to recommend additional steps to remediate the vulnerability and any compromise post-response,” said watchTowr’s Harris.
“If an affected SharePoint instance is exposed to the internet, it should be treated as compromised until proven otherwise.”
Legacy trust models
Rik Ferguson, vice president of security intelligence at Forescout, said that ToolShell was a perfect case study in what happens when legacy trust models bump up against a modern-day threat actor.
“An authenticated user should never be treated as a guaranteed safe entity, but this vulnerability effectively grants code execution without requiring elevated privileges. For CISOs, this highlights a critical point. If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess,” he said.
“Zero-tust is not a buzzword. It is a necessity. Security must begin from the premise that every user and every device is untrusted until verified continuously. You need segmentation that limits lateral movement and monitoring that can flag even subtle deviations from expected behaviour.
“Attackers are not just getting in. They are already inside. The question is how far they can go once they are there,” said Ferguson.
