Hackers are exploiting a critical vulnerability in Microsoft SharePoint that can be used to steal sensitive data and remotely execute malicious code.
SharePoint, Microsoft’s near-ubiquitous content management and collaboration platform, is used by more than 200,000 organisations either on-premises or via the cloud.
The vulnerability, if exploited, can enable unauthorised access to on-premises SharePoint servers, allowing malicious actors to compromise SharePoint contents, such as file systems and internal configurations, and execute code over an affected network.
Dubbed CVE-2025-53770 or ‘ToolShell’, the vulnerability was assigned a ‘critical’ severity rating under the Common Vulnerabilities and Exposures (CVE) program, while the US Cybersecurity and Infrastructure Security Agency (CISA) reported evidence of active exploitation as of Sunday.
“Technically with CVE-2025-53770, attackers don’t need credentials,” said Jamieson O’Reilly, founder of Australian information security company Dvuln.
“This is point and shoot – if your SharePoint is on the internet, then it’s exposed.”
On Sunday, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) urged organisations to “act now” after Microsoft observed the exploit “exists in the wild” with active attacks targeting on-premises SharePoint Server customers.
“Australian organisations should review their networks for use of vulnerable instances of the Microsoft Office SharePoint Server products and consult Microsoft’s customer advisory for mitigation advice,” ACSC wrote.
Who does this affect?
Microsoft reported two separate vulnerabilities in SharePoint – one being a less severe ‘path traversal’ exploit (CVE-2025-53771) that enables already logged-in attackers to conduct spoofing, and the other (ToolShell) involving the “deserialisation of untrusted data” to ultimately allow unauthorised remote code execution.
On Saturday, the tech giant said the flaws apply only to on-premises SharePoint Servers and had not impacted SharePoint Online in Microsoft 365.
Information Age contacted Microsoft to ask how many SharePoint clients are running on-premises or hybrid deployments but was only directed to the company’s ToolShell blog post.
O’Reilly meanwhile said “a lot of environments” still have legacy SharePoint servers online.
“[This is] either because they’ve got old workflows that never got rebuilt, integrations that weren’t refactored, or because no one wanted to deal with the migration complexity,” said O’Reilly.
O’Reilly, whose company conducts penetration testing, added SharePoint and similar services are a “gold mine” for attackers.
“Finance dumps their reporting folders there, IT stores outdated runbooks and admin procedures, legal stores contracts and HR stores personally identifiable information,” said O’Reilly.
“And across almost every SharePoint instance we’ve breached, someone has always uploaded a spreadsheet with ‘passwords’ or buried credentials in a project document they forgot existed.
“People think of SharePoint as just an internal wiki, but in reality it becomes the central unstructured data repo for the whole business, and it rarely gets hardened because it’s seen as ‘just a document platform.’”
No credentials needed
Dutch cybersecurity firm Eye Security scanned over 8,000 global SharePoint servers to discover “dozens of systems” had been “actively compromised” over the weekend.
While responding to an alert for one of its clients, Eye Security came across a concerning and paradoxical log entry: a suspicious process on a legacy, on-premises SharePoint server had involved an authenticated request which was enacted after the requesting user logged out.
“We developed a feeling that credentials were never used,” wrote Eye Security.
The firm realised it was dealing with a zero-day vulnerability that required no prior credential-based intrusion and instead relied on a highly technical exploit of SharePoint’s deserialisation mechanisms to fraudulently acquire validation keys.
This discovery – which was effectively a combination of two prior exploits discovered earlier in the year – resulted in payloads which can “embed any malicious commands” and are “accepted by the server as trusted input”.
Microsoft is patching, but companies shouldn’t wait
Eye Security said the threat is “already operational and spreading rapidly”, while Microsoft said it has released “security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019”.
A patch for SharePoint 2016, however, is not available at the time of writing.
“Organisations with unpatched SharePoint servers should not wait for a fix,” said Eye Security.
“They should assess for compromise immediately and respond accordingly.”
Microsoft said as it works on security updates for supported versions of SharePoint, customers should follow the mitigation steps available on their security blog.
These steps included rotating SharePoint Server ASP.NET machine keys, applying the latest available security updates, ensuring Microsoft Antimalware Scan Interface (AMSI) is turned on, and deploying Microsoft Defender for Endpoint detection.
