Urgent Alert: Critical Vulnerability Detected in Microsoft SharePoint Server
Overview of the Vulnerability
The Australian Cyber Security Centre (ACSC) has issued a pressing alert regarding a critical security flaw in Microsoft Office SharePoint Server. This vulnerability, labeled CVE-2025-53770 and commonly referred to as ToolShell, poses significant risks to both government and enterprise sectors, as it is already being exploited by malicious actors in the wild.
Details of CVE-2025-53770
CVE-2025-53770 emerges as a concerning variant of a previously identified vulnerability (CVE-2025-49706). Exploiting this flaw allows attackers to manipulate untrusted data within on-premises SharePoint Servers. This could lead to remote code execution, granting unauthorized access to sensitive SharePoint content.
Active Exploitation
The US Cybersecurity & Infrastructure Security Agency (CISA) has also alerted users about the ongoing exploitation of this vulnerability. Their July 21 update highlighted the necessity for organizations to follow Microsoft’s guidance pertaining to the vulnerability and to stay abreast of all relevant security updates.
Recommendations for Organizations
Benjamin Harris, CEO of watchTowr, emphasized that his team is closely monitoring this continuity of exploitation, pointing to widespread attacks across various sectors within the government and technology domains. Given that no patches are available at this time, organizations are urged to take immediate actions to mitigate risks.
Key Mitigation Strategies
- Use Supported Versions: Ensure that you are utilizing supported versions of on-premises SharePoint Server.
- Apply Security Updates: Regularly implement the latest security updates, including those released in July 2025.
- Activate Antimalware Scanner: Enable and properly configure the Antimalware Scan Interface (AMSI) along with a suitable antivirus solution, such as Defender Antivirus.
- Implement Endpoint Protection: Deploy Microsoft Defender for Endpoint or similar threat protection solutions.
- Rotate Machine Keys: Regularly update SharePoint Server ASP.NET machine keys to safeguard against unauthorized access.
Attack Methodology
Harris outlined that recent attacks have shown a remarkable sophistication. Attackers are deploying persistent backdoors that retrieve SharePoint’s internal cryptographic keys—specifically the MachineKey designed to secure the __VIEWSTATE parameter. The __VIEWSTATE is crucial within the ASP.NET framework, as it retains information between requests.
By obtaining these keys, attackers can create forged __VIEWSTATE payloads that SharePoint will accept without detection. This seamless approach allows for remote code execution, increasing the threat level for organizations that may not realize they have already been compromised.
Long-Term Impact
The situation demands urgent attention. Once a SharePoint instance is susceptible to exploitation, organizations must assume it may already be compromised until validated otherwise. The longer a vulnerability remains unaddressed, the more danger it poses to IT infrastructure.
Future Updates from Microsoft
While Microsoft is in the process of developing a security update to combat CVE-2025-53770, the emphasis remains on swift remedial actions to mitigate the threat. Until a permanent resolution is deployed, organizations are advised to take immediate steps to ensure their systems are as secure as possible.
In summary, the seriousness of CVE-2025-53770 cannot be overstated. Organizations using Microsoft SharePoint should act now to safeguard their infrastructure against this burgeoning threat.
