SharePoint zero-day exploit attacks are actively targeting thousands of organizations worldwide. Hackers are exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-53770. Microsoft has released emergency patches to contain the threat, but experts warn that updates alone won’t be enough.
Eye Security first identified the exploit on July 18, calling it ToolShell. Since then, attackers have compromised over 85 servers across 54 organizations. Victims include U.S. state agencies, energy and healthcare providers, and private tech companies.
This vulnerability allows attackers to drop malicious payloads onto vulnerable SharePoint servers—without needing login credentials. Once inside, they can steal cryptographic keys, impersonate users, and move laterally through connected Microsoft services like Teams and Outlook.
Which Versions Are Vulnerable?
Microsoft confirmed that the following on-premises versions are vulnerable:
- SharePoint Server Subscription Edition – Patch available
- SharePoint Server 2019 – Patch available
- SharePoint Server 2016 – No patch yet available
SharePoint Online is not affected.
ShadowServer Foundation reports around 9,300 SharePoint IPs exposed daily. The top countries with exposed servers include:
- United States – 3,043
- Ireland – 695
- Netherlands – 541
- United Kingdom – 541
- Canada – 495
- Germany – 338
How the Exploit Works
The flaw stems from deserialization of untrusted data. This allows an attacker to execute arbitrary code remotely. According to Microsoft’s advisory, the exploit has a CVSS score of 9.8, highlighting its severity.
Attackers bypass identity protections like MFA and SSO, planting persistent backdoors. The dropped ASPX payloads leak cryptographic keys, enabling ongoing access—even after updates. Eye Security warns that attackers can survive reboots and software changes.
Patching Is Not Enough
Microsoft and CISA urge immediate action. If patching is delayed or impossible, systems should be disconnected from the internet.
Steps to take now:
- Apply the latest patches for supported versions.
- Enable AMSI (Antimalware Scan Interface) in full mode.
- Install Microsoft Defender Antivirus on all SharePoint servers.
- Rotate machine keys and restart IIS to invalidate stolen tokens.
- Audit logs for suspicious ToolPane access and suspicious POST requests.
CISA flagged the flaw in its Known Exploited Vulnerabilities (KEV) catalog and gave federal agencies only one day to patch or isolate affected systems.
Monitor These Indicators of Compromise
Watch for POST requests to:
bashCopyEdit/_layouts/15/ToolPane.aspx?DisplayMode=Edit
Known attacker IPs include:
- 107.191.58[.]76
- 104.238.159[.]149
- 96.9.125[.]147
But other IPs are likely in use.
Also, update intrusion detection systems and restrict unnecessary admin permissions to reduce risk.
Conclusion
The SharePoint zero-day exploit is one of the most serious enterprise threats this year. With backdoor access, credential theft, and lateral movement possible, organizations must act fast. Patching, monitoring, and cryptographic key rotation are essential—but isolating compromised servers may be the only way to prevent long-term damage.
0 responses to “Massive SharePoint Zero-Day Exploit Threatens Thousands”