A critical zero-day vulnerability in on-premises Microsoft SharePoint servers has fueled a surge in cyberattacks, impacting organizations across continents. The scope and rapid progression of the incident has compelled cybersecurity agencies and researchers to issue urgent warnings and guidance. Several industry sources confirm that attackers are exploiting the defect to bypass existing security measures, resulting in widespread system breaches. The fast-moving threat has raised particular concerns because similar vulnerabilities have attracted international threat actor interest in the past, occasionally leaving organizations exposed for months despite widespread alerts.
Incidents involving Microsoft SharePoint have attracted significant attention previously, such as with the detected vulnerability CVE-2025-49706, which had prompted swift patching earlier in the month. However, the emergence of the CVE-2025-53770 issue has introduced fresh risks where prior mitigation was insufficient. Unlike older exploits, the current wave leverages more advanced methods to evade authentication protocol improvements and has quickly propagated globally. The situation is further complicated by the number of exposed SharePoint servers, with recent scans showing thousands are still at risk, similar to earlier incidents where patch adoption lagged.
What is CVE-2025-53770 and Why is It Serious?
The vulnerability, identified as CVE-2025-53770, has a maximum initial CVSS score of 9.8 and allows attackers remote, unauthenticated code execution, granting them full file access and control over internal configurations. The exploit, referred to as “ToolShell,” has already been used to intrude upon hundreds of organizations, including both governmental and private sectors. The flaw is recognized as a bypass of a previous fix for CVE-2025-49706, signaling gaps in earlier patch initiatives. Security experts noted the rapid escalation of attacks following initial scans, with exploitation moving from reconnaissance to active compromise within days.
How Are Attackers Exploiting SharePoint?
Current attack strategies involve deployment of malicious ASPX payloads via PowerShell, theft of cryptographic machine keys, and exfiltration of sensitive data. Attackers are reportedly bypassing multi-factor authentication and single sign-on features, expanding their symbolic reach beyond initial entry points.
“A compromise doesn’t stay contained — it opens the door to the entire network,”
commented Michael Sikorski, CTO and head of threat intelligence at Palo Alto Networks Unit 42, underlining the potential for lateral movement across organizational systems once a foothold is established.
Which Organizations Have Been Affected and What Measures Are Recommended?
A wide array of entities, spanning government, education, and critical infrastructure across the US, Europe, and Australia, have experienced compromise attempts. Both Eye Security and CISA pointed to large-scale exploitation, observing systemic issues in the deployment of SharePoint servers. Microsoft has advised customers to activate and configure Antimalware Scan Interface or disconnect affected servers from the internet to mitigate risk while patches are being distributed. Patching has been issued for two of the three vulnerable SharePoint versions; SharePoint Server 2016 remains unpatched as of the latest updates.
The incident exposes ongoing challenges in patch management and the pace of security improvement in large IT infrastructures. Security professionals stress the importance of rotating cryptographic keys and conducting forensic investigations beyond routine patching, given the attackers’ persistence after compromise. Real-time notification efforts are underway through collaboration among groups such as Shadowserver, Eye Security, and watchTowr, but the scale of exposure necessitates broader vigilance.
Organizations relying on on-premises Microsoft SharePoint must remain highly alert, as attackers have proven capable of adapting to and circumventing remedial actions with sophisticated techniques. Unlike previous exposures, the nature of this vulnerability enables attackers to maintain access even after traditional patching if cryptographic keys are not systematically changed. For affected organizations, isolating affected servers and promptly investigating signs of compromise are necessary steps, while monitoring ongoing advisories for updates and remediations. Data security and strict access protocols are critical, and entities operating these systems should remain cautious, as delayed response or incomplete remediation offers persistent openings for malicious actors.
