Threats Microsoft SharePoint Under Active Exploitation, Warns CISA

On July 20th, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated an existing security warning, stating that a critical zero-day remote code execution vulnerability (CVE‑2025‑53770) in on-premises Microsoft SharePoint servers is currently being exploited in large-scale cyberattacks.

Dubbed ToolShell, the exploit enables unauthenticated attackers to manipulate the /_layouts/15/ToolPane.aspx?DisplayMode=Edit endpoint to deploy malicious .aspx payloads, extract configuration files, and steal cryptographic machine keys—laying the groundwork for long-term access and broader network infiltration.

Security researchers at Eye Security first observed signs of the attack during the evening of July 18th. Within hours, dozens of servers—including government, higher education, energy, telecom, and public sector environments—were confirmed compromised. The attackers didn’t rely on conventional web shells; instead, they deployed stealthier agents that extracted machine keys and allowed encrypted tokens to be forged, effectively bypassing security patches and system restarts.

Who is Impacted by the Microsoft SharePoint Breach?

Microsoft has confirmed that the vulnerability affects on-premise SharePoint versions 2016, 2019, and Subscription Edition, but does not impact SharePoint Online within Microsoft 365. As of July 21st, roughly 75 to 85 servers globally have been confirmed compromised—including U.S. federal and state agencies, universities, energy companies, and international telecom firms, with additional estimates suggesting that over 8,000 vulnerable servers remain exposed.

Attackers have successfully stolen machine-level cryptographic keys, enabling them to create forged tokens and remain persistent even after patches or reboots. This persistence elevates the risk dramatically—patching alone will not eliminate the threat unless full remediation steps are taken.

CISA and Microsoft Provide Immediate Mitigations for Clients

In its advisory, CISA emphasized that vigilance and response must go beyond patching CISA+1CISA+1. Organizations are strongly urged to deploy security updates for SharePoint 2019 and Subscription Edition, with a patch for SharePoint 2016 still in development Eye Security+15AP News+15The Verge+15. Additionally, CISA recommends environmental changes such as:

• Disconnecting vulnerable servers from the internet when possible

• Enabling AMSI integration and Microsoft Defender Antivirus

• Conducting threat-hunting for suspicious POST activity to ToolPane.aspx

• Rotating or revoking any cryptographic keys that may have been compromised

Microsoft’s guidance likewise highlights the importance of Defender AV, Defender for Endpoint, and robust logging to detect the installation of payloads like spinstall0.aspx—a telltale indicator of compromise.

The Wider Impact Beyond SharePoint

Securing SharePoint should not happen in isolation. Since compromised servers are often interconnected with Outlook, Teams, OneDrive, Active Directory, and domain controllers, attackers may use this foothold for credential harvesting, data exfiltration, and lateral movement. The FBI and global CERT organizations are actively coordinating with Microsoft and the CISA to track actor activity and support remediation efforts.

Security analysts note that continued compromise is a real risk—unless environments undergo threat hunting, key rotation, and rigorous cleaning, attackers can exploit stolen keys and persist after traditional patch cycles.