A critical zero-day vulnerability targeting Microsoft SharePoint Server installations is currently being exploited globally, prompting urgent warnings from cybersecurity experts. Identified as CVE-2025-53770, the flaw allows remote attackers to bypass identity safeguards – including multi-factor authentication – and gain system-level access.
From there, attackers can deploy malware, access sensitive files, and propagate laterally across an organization’s Windows domain. Despite Microsoft’s emergency patch issued on July 20, researchers say the fix does not fully mitigate the threat.
The vulnerability affects on-premises installations of Microsoft SharePoint Server, rather than cloud-hosted SharePoint Online within Microsoft 365. According to Eye Research, the cybersecurity firm that first disclosed the flaw, the attack surface is significant. Large enterprises, government agencies, educational institutions, and healthcare providers are among the most exposed, particularly those that rely heavily on integrated Microsoft services such as Teams, OneDrive, and Outlook.
ToolShell Attack Framework
What makes CVE-2025-53770 particularly dangerous is its association with ToolShell, a known attack framework. Exploits using ToolShell allow unauthorized access without user interaction, making it possible for malicious actors to take over servers with little effort. The link between SharePoint and other Microsoft collaboration tools further amplifies the risk, increasing the potential for widespread data exfiltration, credential theft, and operational disruption.
Microsoft acknowledged the severity of the issue in a blog post, confirming the ongoing exploitation and encouraging all SharePoint Server users to apply the emergency update immediately. However, security professionals stress that the patch does not offer complete protection. Organizations are being urged to take additional defensive measures, such as monitoring network activity, implementing endpoint detection tools, and isolating vulnerable systems until comprehensive remediation becomes available.
With attacks unfolding in real time, the urgency is clear: enterprises must act swiftly to secure their SharePoint environments and prevent further compromise.
Discover more from WIREDGORILLA
Subscribe to get the latest posts sent to your email.
