SharePoint zero-day: What we know

The software supply chain incident highlights how quickly threat actors can turn newly revealed vulnerabilities into widespread attacks.

Carolynn van Arsdale, Writer, ReversingLabs.

Microsoft notified customers this past weekend regarding in-the-wild attacks targeting its SharePoint products following exploits of several vulnerabilities within the software.

One of the vulnerabilities, CVE‑2025‑53770 (CVSS 9.8), is a zero-day exploit and a variant of an older vulnerability (CVE‑2025‑49706), which was patched by Microsoft on July 8. These and two other vulnerabilities (one a new variant of the other) are being used collectively by attackers to create a backdoor on vulnerable SharePoint servers, and steal system keys to take over victims’ machines.

Here's what we know about the incident.

Who the ToolShell breach affects

Microsoft said that the compromise was only impacting “on-premises SharePoint servers,” and not “Sharepoint Online in Microsoft 365.” Impacted versions include:

SharePoint Subscription Edition
SharePoint 2019
SharePoint 2016

As of July 21, Microsoft released updates for SharePoint Subscription Edition and SharePoint 2019 that customers can now patch. However, the window for exploitation was at least three days long, and it’s been confirmed by multiple sources that the consequences of this software supply chain attack are far-reaching.

PoC of the attack was revealed at a Pwn2Own contest

Two of the four vulnerabilities being exploited, CVE‑2025‑49706 and CVE‑2025‑49704, which allow authentication bypass and code injection, were first discovered by researcher Khoa Dinh as a proof-of-concept (PoC) titled “ToolShell” at the Pwn2Own contest in Berlin, Germany in May. The security firm CODE WHITE's researchers were able to reproduce the exploit chain, which they posted to X on July 14.

The Eye Security researchers who discovered the zero-day said the exploit has been actively abused since July 18, just four days after the ToolShell chain was made public for the two older vulnerabilities. By scanning more than 8,000 public-facing SharePoint environments, the security company said it detected many compromises stemming from both the zero-day and the older vulnerabilities:

Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access.

On July 21, The Washington Post reported that the zero-day has so far been exploited to breach the servers of U.S. federal and state agencies, as well as entities in critical infrastructure, higher education and telecommunications.

Michael Sikorski, head of threat intelligence at Palo Alto Networks’ Unit 42, stressed on Forbes that SharePoint deployments within the public sector, schools, healthcare and large enterprises are at immediate risk, stating “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.”

A single breach can have a cascading effect

ReversingLabs' VP of Technology, Igor Lasic, said the incident highlights how quickly threat actors can turn newly revealed vulnerabilities into widespread attacks — and shows how critical this specific zero-day is for enterprises and critical infrastructure.

This supply chain attack presents a serious cybersecurity concern. SharePoint often connects to core Microsoft 365 services like Outlook, Teams, and OneDrive – so a single SharePoint breach can expose sensitive data, harvested credentials, and enable dangerous lateral movement across an organization’s cloud environment.
Igor Lasic

SharePoint users are advised to update

Microsoft is advising customers to apply available updates for all four vulnerabilities as soon as possible. Customers should also immediately rotate SharePoint Server ASP.NET machine keys to avoid machine takeover.

Microsoft is also asking impacted customers to integrate Antimalware Scan Interface (AMSI), and also run an antivirus solution and an endpoint detection and response (EDR) solution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the zero-day to its Known Exploited Vulnerabilities (KEV) list.

Similar to past zero-day vulnerabilities with far-reaching deployments, it’s likely that the security community will not know the full extent of this incident’s consequences for months.

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: Join RL's May 28 webinar for expert insights.
Get the white paper: Go Beyond the SBOM. Plus: See the Webinar: Welcome CycloneDX xBOM.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our Webinar for discussion about the findings.
Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and replay our Webinar to learn how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see our related Webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security