18 hours ago
Critical SharePoint zero-day flaw exploited, urgent actions urged
A critical zero-day vulnerability in Microsoft SharePoint Server, identified as CVE-2025-53770, has been actively exploited by threat actors and now poses a significant security risk to organisations operating on-premises SharePoint environments.
Security researchers and technology companies have raised urgent concerns about the sophistication and reach of the campaign, which has been dubbed "ToolShell" and enables remote code execution (RCE), system compromise, and persistent backdoor access - even in environments protected by measures such as multi-factor authentication (MFA).
According to Adrian Culley, Senior Sales Engineer at SafeBreach, the situation is particularly serious because the attacks exploiting this vulnerability commenced before any security patches were made available, placing it in the most dangerous category of threats to enterprise infrastructure. "This CVE represents a critical security incident: it was exploited as a zero-day vulnerability in active attacks against production systems before any patches were available - the most severe type of threat organisations face," Culley stated.
Further complicating the response, there is currently no single remediation patch for the vulnerability. Microsoft has taken the unusual and cautionary step of advising organisations to assume their systems may already be compromised, and to immediately conduct comprehensive investigations to verify the integrity of their environments. This approach is rarely adopted in public advisory language, and reinforces the gravity of the incident.
SharePoint Server 2016 installations face unique challenges due to the absence of technical fixes at present. Organisations running these environments are being told to lean on breach and attack simulation, alongside current security controls, to gauge their exposure. Culley recommended, "Proactive defence requires targeted hardening measures and resilience improvements to prevent falling victim to this sophisticated attack vector."
Analysis from Mandiant Consulting, part of Google Cloud, indicates that this exploit is being used by multiple threat actors, including groups linked to China.
Charles Carmakal, CTO at Mandiant Consulting, stressed the breadth of the threat landscape: "We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability."
Carmakal warned that further threat actors are expected to join as awareness and knowledge of the exploit spreads, increasing the urgency for defensive actions.
Google's Threat Intelligence Group has observed attackers leveraging CVE-2025-53770 to install webshells and exfiltrate sensitive cryptographic secrets from compromised servers. This enables unauthenticated, long-term access to targeted systems, putting confidential data and business operations at risk.
In its emergency guidance, Microsoft clarified that this vulnerability currently affects only on-premises versions of SharePoint Server. Organisations using SharePoint Online as part of Microsoft 365 are not impacted. For those running on-premises servers exposed to the internet, immediate action is advised. Experts recommend implementing Microsoft's mitigation advice, closely monitoring systems for signs of compromise, and preparing to deploy an emergency patch as soon as it becomes available.
Carmakal summed up the reality facing organisations: "This isn't an 'apply the patch and you're done' situation. Organisations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions."
Given the current lack of a comprehensive patch, vigilance in monitoring, rapid application of mitigations, and thorough investigative processes will be mandatory in defending against the expanding wave of exploitation. Security professionals emphasise that building resilience and continually reviewing security postures are critical as the situation evolves and more actors target the vulnerability.
