Microsoft has warned that attackers are actively exploiting SharePoint vulnerabilities in a high-impact, ongoing campaign impacting critical sectors like government and healthcare.
The campaign is putting critical systems and data at high risk of compromise for those with SharePoint on-premises servers.
Threat actors have already been observed installing web shells and exfiltrating cryptographic secrets from victim servers, according to an analysis by Google Threat Intelligence Group.
In an update on July 19, Microsoft urged on-premises SharePoint Server customers to take immediate action to mitigate two vulnerabilities that were only partially addressed in July 2025’s Patch Tuesday.
These are CVE-2025-53770, a critical vulnerability with a CVSS score of 9.8 which allows an unauthorized attacker to execute code over a network. This flaw is also referred to as ‘ToolShell’ by cybersecurity experts.
The other is CVE-2025-53771, rated important with a CVSS score of 6.3, which allows an authorized attacker to perform spoofing over a network.
SharePoint Customers Should Assume Compromise
Those with SharePoint on-premises servers exposed to the internet have been told to assume compromise.
Immediate action, beyond applying any patches, has been advised. This includes rotating cryptographic material and engaging professional incident response.
Additionally, the Windows Antimalware Scan Interface (AMSI) integration in SharePoint should be configured and those affected should deploy Defender AV or another EDR solution.
Customers should also consider disconnecting Microsoft SharePoint from the internet until a patch is available.
Organizations that have already applied a patch should investigate whether their system was compromised prior to the fix.
The vulnerabilities only impact on-prem SharePoint deployments and SharePoint Online in Microsoft 365 environments remain unaffected.
High Severity Threat Bypassing Identity Controls
Michael Sikorski, CTO and Head of Threat Intelligence at Palo Alto Network’s Unit 42 team, which is working with Microsoft to track the active campaign, warned that critical systems in government, schools, healthcare and large enterprise companies are at immediate risk of compromise.
“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold,” he noted.
Sikorski also highlighted SharePoint’s deep integration with other Microsoft services such as Office, Teams, OneDrive and Outlook, all of which contain valuable information which is lucrative to attackers.
“A compromise doesn’t stay contained – it opens the door to the entire network,” he added.
WatchTowr CEO Benjamin Harris noted that attackers appear to be taking a more sophisticated route than usual, deploying a backdoor that retrieves SharePoint’s internal cryptographic keys.
This includes the MachineKey used to secure the _VIEWSTATE parameter, a core mechanism in ASP.NET that stores state information between requests.
“With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid – enabling seamless remote code execution. This approach makes remediation particularly difficult – a typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch,” Harris commented.
In a blog post published on July 19, Dutch security firm Eye Security revealed it first identified exploitation in the wild of the two vulnerabilities on July 18.
It found that dozens of systems were actively compromised during two waves of on July 18 at around 18:00 UTC and July 19 at around 07:30 UTC.
Partial Fixes Available
Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770 and CVE-2025-53771. Customers using these versions should apply the patches immediately.
However, no patches are available yet for supported versions of SharePoint 2016.
Microsoft is expected to release an emergency out-of-cycle patch due to the broad exploitation currently underway.
Image credit: Tada Images / Shutterstock.com
No tags.
