Microsoft Building

Microsoft, CISA warn of cyberattacks targeting on-premise SharePoint servers

Hackers have already breached dozens of vulnerable systems in at least two attack waves
Pro

22 July 2025

Microsoft has warned that hackers are exploiting a critical vulnerability in SharePoint, dubbed ToolShell, to launch attacks against on-premise customers.

The vulnerability, tracked as CVE-2025-53770, involves deserialisation of untrusted data and is a variant of CVE-2025-49706.  

The US’ Cybersecurity and Infrastructure Security Agency (CISA) said the vulnerability can allow a malicious adversary to gain full access to SharePoint content, including file systems and internal configurations.

 

advertisement



 

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” Chris Butera, acting executive assistant director for cyber security said in a statement. “Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.”

The agency urged all organisations with on-premise Microsoft SharePoint servers to rapidly implement mitigations.

Microsoft on Sunday released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771, and urged customers to immediately apply the patches. 

Hackers have already breached dozens of vulnerable systems in at least two attack waves, according to researchers at Eye Security, which first disclosed the flaw on Saturday and said they had scanned more than 8,000 SharePoint servers worldwide.

Researchers from watchTowr said exploitation may have begun as early as 16 July.

The attacks have compromised at least two federal agencies in the US, as well as multiple European government agencies and a US energy company, The Washington Post reported.

The Multi-State Information Sharing and Analysis Center has already notified more than 150 actively targeted state and local government agencies, a spokesperson told Cybersecurity Dive. It said it had detected more than 1,100 vulnerable servers, including some belonging to K-12 school districts and universities.

Google’s Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers, an executive said on LinkedIn.

Shadowserver on Sunday said it was tracking 9,300 exposed IPs and was working with watchTowr and Eye Security to notify affected customers. 

Earlier this month, researchers at Code White GmbH demonstrated ToolShell using a combination of CVE-2025-49706 and CVE-2025-49704.

Cybersecurity Dive

Read More:


Back to Top ↑