Thousands of organizations worldwide face active cyberattacks targeting Microsoft SharePoint servers through two critical vulnerabilities, prompting urgent government warnings and emergency patches. Microsoft released emergency security updates on July 21 for SharePoint Server Subscription Edition (KB5002768) and SharePoint Server 2019 (KB5002754), with language pack updates also available. Microsoft confirmed over the weekend that threat actors are actively exploiting two zero-day vulnerabilities in on-premises SharePoint servers, designated CVE-2025-53770 and CVE-2025-53771. Eye Security, which first disclosed the active exploitation, reported scanning more than 8,000 SharePoint servers globally and finding evidence of ongoing attacks in multiple waves. Security researchers estimate over 10,000 SharePoint servers worldwide remain vulnerable, with the highest concentrations in the United States, Netherlands, United Kingdom, and Canada. The attacks, dubbed “ToolShell” by security researchers, have compromised dozens of organizations globally since July 18, including U.S. federal agencies, universities, and energy companies. Attackers manipulate the Referer header to bypass authentication, then upload malicious ASPX files typically named “spinstall0.aspx” to extract critical cryptographic keys from the server. The companion flaw, CVE-2025-53771 (CVSS 6.3), allows attackers to bypass authentication by manipulating HTTP headers, specifically crafting requests with forged Referer headers pointing to SharePoint’s sign-out page. “The vulnerability fundamentally breaks SharePoint’s security model,” explained researchers at Strobes Security. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. “We’re witnessing an urgent and active threat,” warned Lotem Finkelstein, Director of Threat Intelligence at Check Point Research. However, SharePoint Server 2016 remains vulnerable, with Microsoft working to develop comprehensive patches. The technique allows threat actors to execute PowerShell commands through SharePoint’s IIS worker process (w3wp.exe), often running under NT AUTHORITY\IUSR privileges. The rapid progression from proof-of-concept demonstration to mass exploitation occurring within just 72 hours highlights the evolving threat landscape where zero-day vulnerabilities can be weaponized almost instantly. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. The primary vulnerability, CVE-2025-53770, carries a critical CVSS score of 9.8 and enables unauthenticated remote code execution through unsafe deserialization of untrusted data. The ToolShell exploit chain demonstrates sophisticated tactics, beginning with specially crafted POST requests to SharePoint’s vulnerable ToolPane.aspx endpoint. Alert: SharePoint CVE-2025-53770 incidents! In collaboration with @eyesecurity & @watchtowrcyber we are notifying compromised parties.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Jul 2025 06:15:14 +0000