Full Report
Attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The post Mass attack spree hits Microsoft SharePoint zero-day defect appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Zero-Day Exploit in On-Premises Microsoft SharePoint (ToolShell) Enabling RCE and Key Theft
## CVE Details
- CVE ID: CVE-2025-53770
- CVSS Score: 9.8 (Critical)
- CWE: (Not explicitly mentioned, but based on impact, likely related to Improper Input Validation or Insufficient Canonicalization leading to Remote Code Execution leading to Authentication Bypass)
## Affected Systems
- Products: Microsoft SharePoint Server (On-premises versions)
- Versions: Specific vulnerable versions not fully listed, but patches released for two of the three affected versions. SharePoint Server 2016 is explicitly noted as *unpatched* as of the summary date.
- Configurations: On-premises SharePoint servers exposed to the internet. Cloud-based SharePoint in Microsoft 365 is **not impacted**.
## Vulnerability Description
CVE-2025-53770 is a critical Remote Code Execution (RCE) vulnerability affecting on-premises Microsoft SharePoint servers. It is a bypass variant of the previously patched CVE-2025-49706. Successful exploitation allows unauthenticated attackers to gain full access to the system, leading to file access, internal configuration exposure, and code execution. Attackers leverage this flaw to bypass identity controls, including MFA and SSO. Crucially, exploited systems have been observed having their internal cryptographic machine keys stolen.
## Exploitation
- Status: Actively exploited in the wild ("ToolShell" exploit used to compromise hundreds of organizations globally).
- Complexity: Low (Implied by unauthenticated access and active rapid exploitation).
- Attack Vector: Network (Unauthenticated access via the internet).
## Impact
- Confidentiality: High (Access to files, internal configurations, and theft of cryptographic keys).
- Integrity: High (Code execution possible, leading to deployment of persistent backdoors).
- Availability: High (System compromise and potential disruption).
## Remediation
### Patches
- **Patches released** for two of the three affected SharePoint versions (as of Sunday, prior to the summary date).
- **SharePoint Server 2016:** No patch available as of Monday morning.
### Workarounds
1. **Immediate Action:** Turn on and properly configure the **Antimalware Scan Interface (AMSI)** in SharePoint.
2. **Drastic Mitigation:** Disconnect vulnerable SharePoint servers from the internet until patches are applied.
3. **Post-Compromise Requirement:** Organizations must investigate for compromise and **rotate/regenerate the stolen cryptographic machine keys** to ensure persistent access cannot be maintained after patching.
## Detection
- **Indicators of Compromise (IoCs):** Malicious ASPX payloads dropped via PowerShell; exfiltration of sensitive key material, specifically the SharePoint server's internal cryptographic machine keys.
- **Detection Methods and Tools:** Vendors (like Palo Alto Networks Unit 42 and Eye Security) are actively releasing intelligence. Organizations should urgently investigate existing compromises given the certainty of successful exploitation on exposed servers.
## References
- Vendor Guidance (Microsoft): hxxps://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- CISA Alert: hxxps://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
- CISA KEV Catalog: hxxps://www.cisa.gov/news-events/alerts/2025/07/20/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-catalog
- Research Findings (Eye Security): hxxps://research.eye.security/sharepoint-under-siege/