Microsoft Confirms Global SharePoint Attack — Emergency Update Issued

Update, July 21, 2025: This story, originally published on July 20, has been updated to include additional expert comments regarding the global zero-day attack impacting Microsoft on-premise SharePoint Server users, as well as the latest information and advice from Microsoft itself as an emergency patch is released.

Microsoft users are, once again, under attack. This time, the threat is not restricted to Outlook users, or involves a Windows browser-based security bypass, and unlike the recent Windows authentication relay attack vulnerability, there is no patch, no magic update, to remedy this one. Which is bad news for Microsoft SharePoint Server users, as CVE-2025-53770 is currently under confirmed “mass attack” and on-premises servers across the world are being compromised. Here’s what you need to know and do.

ForbesAmazon Ring Doorbell May 28 Mass Hacking Claim Goes ViralBy Davey Winder

July 21 Update: Microsoft SharePoint Exploit Patch Now Available

Breaking: Microsoft has now released emergency security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. “Customers should apply these updates immediately to ensure they’re protected,” Microsoft said.

Microsoft Confirms CVE-2025-53770 SharePoint Server Attacks

It’s been quite the few weeks for security warnings, what with Amazon informing 220 million customers of Prime account attacks, and claims of a mass hack of Ring doorbells going viral. The first of those can be mitigated by basic security hygiene, and the latter appears to be a false alarm. The same cannot be said for CVE-2025-53770, a newly uncovered and confirmed attack against users of SharePoint Server which is currently undergoing mass exploitation on a global level, according to the Eye Security experts who discovered it. Microsoft, meanwhile, has admitted that not only is it “aware of active attacks” but, worryingly, “a patch is currently not available for this vulnerability.”

CVE-2025-53770, which is also being called ToolShell, is a critical vulnerability in on-premises SharePoint. The end result of which is the ability for attackers to gain access and control of said servers without authentication. If that sounds bad, it’s because it is. Very bad indeed.

“The risk is not theoretical,” the researchers warned, “attackers can execute code remotely, bypassing identity protections such as MFA or SSO.” Once they have, they can then “access all SharePoint content, system files, and configurations and move laterally across the Windows Domain.”

And then there’s the theft of cryptographic keys. That can enable an attacker to “impersonate users or services,” according to the report, “even after the server is patched.” So, even when a patch is eventually released, and I would expect an emergency update to arrive fairly quickly for this one, the problem isn’t solved. You will, it was explained, “need to rotate the secrets allowing all future tokens that can be created by the malicious actor to become invalid.”

And, of course, as SharePoint will often connect to other core services, including the likes of Outlook and Teams, oh and not forgetting OneDrive, the threat, if exploited, can and will lead to “data theft, password harvesting, and lateral movement across the network,” the researchers warned.

ForbesThis Password Hack Jumps From Laptop To Smartphone — Attacks UnderwayBy Davey Winder

CISA Adds Microsoft SharePoint Vulnerability To KEV Catalog

The Cybersecurity and Infrastructure Security Agency has already added CVE-2025-53770 to the Town Exploited Vulnerabilities Catalog, and action that, in accordance with Binding Operational Directive 22-01, mandates U.S. Federal Civilian Executive Branch agencies to remediate the threat within 21 days. “Although BOD 22-01 only applies to FCEB agencies,” CISA said, “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.” Given that no patch is yet available, that could mean taking drastic action and pulling the internet plug to remove connectivity from SharePoint servers.

Security Experts Warn Government, Schools And Hospitals At Immediate Risk From Microsoft SharePoint Exploit

“While cloud environments remain unaffected,” Michael Sikorski, head of threat intelligence for Unit 42 at Palo Alto Networks, said, “on-prem SharePoint deployments, particularly within government, schools, healthcare including hospitals, and large enterprise companies, are at immediate risk.” The attackers are, Sikorski confirmed, exfiltrating data, deploying backdoors, and stealing cryptographic keys. “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.”

“CVE-2025-53770 is more than just another SharePoint flaw,” Rik Ferguson, vice president of security intelligence at Forescout, warned, “it’s a case study in what happens when legacy trust models meet modern threat actors.” Explaining that authenticated users should never be considered safe entities by default, Ferguson said that CVE-2025-53770, in effect, provides code execution ability without requiring any elevated privileges whatsoever. “For CISOs,” Ferguson concluded, “this highlights a critical point: If your security posture still relies on perimeter trust or the assumption that credentialed access equals safety, then it is time to reassess.”

ForbesAmazon Warns 220 Million Customers Of Prime Account AttacksBy Davey Winder

Mitigating The Microsoft SharePoint Server Attacks

While the Microsoft Security Response Center has stated that it is “actively working to release a security update,” and will “provide additional details as they are available,” there is no patch at the time of writing. In the meantime, it advised that customers should apply the following mitigations:”

Configure Antimalware Scan Interface integration in SharePoint and deploy Defender AV on all SharePoint servers. “If you cannot enable AMSI,” Microsoft said, “we recommend you consider disconnecting your server from the internet until a security update is available.”

I have approached Microsoft for a statement and will update this story with any further developments. In the meantime, Microsoft has confirmed that the issue only applies to on-premises Microsoft SharePoint Servers only, with SharePoint Online in Microsoft 365 not impacted.

Enhance your driving experience with the P12 Pro 4K Mirror Dash Cam Smart Driving Assistant, featuring Front and Rear Cameras, Voice Control, Night Vision, and Parking Monitoring. With a 4.3/5-star rating from 2,070 reviews and over 1,000 units sold in the past month, it’s a top-rated choice for drivers. The dash cam comes with a 32GB Memory Card included, making it ready to use out of the box. Available now for just $119.99, plus a $20 coupon at checkout. Don’t miss out on this smart driving essential from Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!