Microsoft notified customers this past weekend regarding in-the-wild attacks targeting its SharePoint products following exploits of several vulnerabilities within the software.
One of the vulnerabilities, CVE‑2025‑53770 (CVSS 9.8), is a zero-day exploit and a variant of an older vulnerability (CVE‑2025‑49706), which was patched by Microsoft on July 8. These and two other vulnerabilities (one a new variant of the other) are being used collectively by attackers to create a backdoor on vulnerable SharePoint servers, and steal system keys to take over victims’ machines.
Here's what we know about the incident.
Who the ToolShell breach affects
Microsoft said that the compromise was only impacting “on-premises SharePoint servers,” and not “Sharepoint Online in Microsoft 365.” Impacted versions include:
- SharePoint Subscription Edition
- SharePoint 2019
- SharePoint 2016
As of July 21, Microsoft released updates for SharePoint Subscription Edition and SharePoint 2019 that customers can now patch. However, the window for exploitation was at least three days long, and it’s been confirmed by multiple sources that the consequences of this software supply chain attack are far-reaching.
PoC of the attack was revealed at a Pwn2Own contest
Two of the four vulnerabilities being exploited, CVE‑2025‑49706 and CVE‑2025‑49704, which allow authentication bypass and code injection, were first discovered by researcher Khoa Dinh as a proof-of-concept (PoC) titled “ToolShell” at the Pwn2Own contest in Berlin, Germany in May. The security firm CODE WHITE's researchers were able to reproduce the exploit chain, which they posted to X on July 14.
The Eye Security researchers who discovered the zero-day said the exploit has been actively abused since July 18, just four days after the ToolShell chain was made public for the two older vulnerabilities. By scanning more than 8,000 public-facing SharePoint environments, the security company said it detected many compromises stemming from both the zero-day and the older vulnerabilities:
“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access.”
On July 21, The Washington Post reported that the zero-day has so far been exploited to breach the servers of U.S. federal and state agencies, as well as entities in critical infrastructure, higher education and telecommunications.
Michael Sikorski, head of threat intelligence at Palo Alto Networks’ Unit 42, stressed on Forbes that SharePoint deployments within the public sector, schools, healthcare and large enterprises are at immediate risk, stating “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.”
A single breach can have a cascading effect
ReversingLabs' VP of Technology, Igor Lasic, said the incident highlights how quickly threat actors can turn newly revealed vulnerabilities into widespread attacks — and shows how critical this specific zero-day is for enterprises and critical infrastructure.
“This supply chain attack presents a serious cybersecurity concern. SharePoint often connects to core Microsoft 365 services like Outlook, Teams, and OneDrive – so a single SharePoint breach can expose sensitive data, harvested credentials, and enable dangerous lateral movement across an organization’s cloud environment.”
—Igor Lasic
SharePoint users are advised to update
Microsoft is advising customers to apply available updates for all four vulnerabilities as soon as possible. Customers should also immediately rotate SharePoint Server ASP.NET machine keys to avoid machine takeover.
Microsoft is also asking impacted customers to integrate Antimalware Scan Interface (AMSI), and also run an antivirus solution and an endpoint detection and response (EDR) solution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the zero-day to its Known Exploited Vulnerabilities (KEV) list.
Similar to past zero-day vulnerabilities with far-reaching deployments, it’s likely that the security community will not know the full extent of this incident’s consequences for months. RL researchers will continue to monitor this campaign and share any further insights with the community.
