Microsoft SharePoint

Microsoft SharePoint Under Active Cyber Attack

by

What Is Happening?

A critical zero-day vulnerability in Microsoft SharePoint (CVE‑2025‑53770) is now being exploited worldwide. The flaw allows unauthenticated remote code execution (RCE), enabling attackers to steal cryptographic keys, drop web shells, and access sensitive SharePoint content.

The vulnerability, dubbed “ToolShell”, is actively being used against organizations across government, education, telecom, and energy sectors.

Latest Developments – July 21, 2025

Microsoft Releases Emergency Patch

Microsoft released patches for:

  • SharePoint Server 2019
  • SharePoint Subscription Edition

The SharePoint Server 2016 patch is expected this week. These updates also fix a related spoofing vulnerability (CVE‑2025‑53771).

“All on-prem customers must patch immediately and rotate ASP.NET keys,” says Microsoft Security Response Center (MSRC).

Government Agencies Respond

  • CISA (Cybersecurity and Infrastructure Security Agency) has added the bug to its Known Exploited Vulnerabilities (KEV) list.
  • U.S. federal agencies are required to apply the fix or disconnect vulnerable systems by July 21, 11:59 PM ET.

Exploitation Accelerates

  • Over 9,000 vulnerable SharePoint servers have been found in public scans.
  • Active exploit attempts detected from IPs in the U.S., China, and Eastern Europe.
  • Confirmed breaches include at least 75 organizations, including multiple government departments.

Who Is Affected?

✅ Affected:

  • All on-premises installations of Microsoft SharePoint 2016, 2019, and Subscription Edition.

❌ Not Affected:

  • SharePoint Online / Microsoft 365 (cloud-based).

Step-by-Step Mitigation Guide

1. Apply Microsoft’s July 2025 Patch
Install the latest security updates for SharePoint 2019 and SE immediately. Watch for the 2016 patch release.

2. Rotate ASP.NET MachineKeys
Use PowerShell (Update-SPMachineKey) or Central Admin to rotate cryptographic keys after patching. Restart IIS.

3. Enable AMSI + Defender for Endpoint
Enable Antimalware Scan Interface (AMSI). Microsoft Defender now includes detection signatures for known attack payloads.

4. Disconnect Unpatched Servers
If patching isn’t immediately possible, isolate vulnerable servers from the internet.

5. Threat Hunt: Look for Suspicious Activity
Check logs for unusual access to ToolPane.aspx?DisplayMode=Edit or files like spinstall0.aspx.

6. Revoke and Reset Credentials
Assume exposed credentials are compromised. Reset all service accounts and related credentials.

7. Plan for Migration to SharePoint Online
Long-term solution: migrate off on-prem servers. Cloud-based SharePoint Online is unaffected and actively maintained.

Why This Matters

  • Data Exposure: Stolen cryptographic keys allow attackers to decrypt tokens and impersonate users.
  • Persistent Backdoors: Even after patching, unrotated keys can allow re-entry.
  • Global Impact: Widespread exploitation across industries, with real-world breaches confirmed.

Grounded by a Glitch: The Real Reason Behind the Alaska Airlines Shutdown