{"id":351371,"date":"2025-07-20T19:17:59","date_gmt":"2025-07-21T02:17:59","guid":{"rendered":"https:\/\/msftnewsnow.com\/?p=351371"},"modified":"2025-07-20T19:18:37","modified_gmt":"2025-07-21T02:18:37","slug":"microsoft-sharepoint-zero-day-attack-toolshell","status":"publish","type":"post","link":"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/","title":{"rendered":"Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Exposes On-Premises Servers, Emergency Guidance Issued"},"content":{"rendered":"<div class=\"relative\">\n<div class=\"prose text-pretty dark:prose-invert inline leading-normal break-words min-w-0 [word-break:break-word]\">\n<p class=\"my-0\">Microsoft has confirmed a major zero-day vulnerability is being actively exploited in on-premises SharePoint Server, with no patch currently available for most affected versions. Dubbed <a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a>\u2014nicknamed \u201cToolShell\u201d by researchers\u2014the Microsoft SharePoint flaw enables unauthenticated attackers to take full control of targeted SharePoint servers. As of July 20, 2025, the attacks have hit at least 75 to 85 organizations globally (<a href=\"https:\/\/www.forbes.com\/sites\/daveywinder\/2025\/07\/20\/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available\/\" target=\"_blank\" rel=\"noopener\">via <em>Forbes<\/em><\/a>), ranging from government agencies and financial institutions to universities and the energy sector.<\/p>\n<p class=\"my-0\">Microsoft urges urgent mitigation as attackers escalate exploitation, leveraging the vulnerability to plant persistent backdoors and steal sensitive cryptographic keys. Here\u2019s everything you need to know to assess your risk, respond to the evolving threat, and secure your infrastructure.<\/p>\n<h2 id=\"what-is-the-sharepoint-toolshell-zero-day-cve-2025\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>What Is the SharePoint ToolShell Zero-Day (CVE-2025-53770)?<\/strong><\/h2>\n<p><a href=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&w=2560&ssl=1\"><img decoding=\"async\" data-attachment-id=\"351377\" data-permalink=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/customerguidance\/#main\" data-orig-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-orig-size=\"573,720\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"customerguidance\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-large-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" class=\"alignnone wp-image-351377 size-full\" src=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" alt=\"Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Dubbed &quot;ToolShell&quot; Exposes On-Premises Servers: Emergency Guidance Issued\" width=\"573\" height=\"720\" srcset=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 573w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-119x150.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 119w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=229&amp;ssl=1 229w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=343&amp;ssl=1 343w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/customerguidance-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=458&amp;ssl=1 458w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><\/a><\/p>\n<p class=\"my-0\">The flaw stems from <strong>insecure deserialization<\/strong> within SharePoint\u2019s server logic. This allows attackers to craft malicious HTTP POST requests to specific SharePoint endpoints, resulting in unauthorized code execution on the server\u2014<em>even without valid credentials<\/em>.<\/p>\n<p class=\"my-0\">Once exploited, hackers can:<\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Deploy arbitrary ASPX payloads<\/strong> to the server.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Steal cryptographic machine keys<\/strong>, facilitating future attacks or lateral movement.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Maintain <strong>persistent access<\/strong> to compromised environments, even after security updates.<\/p>\n<\/li>\n<\/ul>\n<blockquote>\n<p class=\"my-0\">\u201cToolShell is particularly dangerous because it lets attackers bypass authentication altogether. This opens the door for full-stack attacks, including data theft and ransomware deployment,\u201d warned one lead incident responder involved in the investigation.<\/p>\n<\/blockquote>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Affected SharePoint Versions<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>SharePoint Server 2016<\/strong><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>SharePoint Server 2019<\/strong><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>SharePoint Subscription Edition<\/strong><\/p>\n<\/li>\n<\/ul>\n<p class=\"my-0\"><em>Note: SharePoint Online (in Microsoft 365) is <strong>not<\/strong> impacted. This attack strictly targets on-premises deployments.<\/em><\/p>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Scope of the Attack<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Confirmed victims:<\/strong> 75\u201385 organizations across multiple continents<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>High-risk sectors:<\/strong> Government, finance, telecom, universities, energy<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Potential exposure:<\/strong> Tens of thousands of vulnerable SharePoint servers worldwide<\/p>\n<\/li>\n<\/ul>\n<p class=\"my-0\">Attackers exploit the flaw to steal intellectual property, disrupt daily operations, and potentially ransom critical data. Organizations who rely on on-premises SharePoint installations are <strong>strongly urged to take action immediately<\/strong>.<\/p>\n<h2 id=\"how-the-exploit-works\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>How the Exploit Works<\/strong><\/h2>\n<p><a href=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&w=2560&ssl=1\"><img decoding=\"async\" data-attachment-id=\"351389\" data-permalink=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/692f57e6-adda-41d4-bee5-85e4dcea6fb8\/#main\" data-orig-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-orig-size=\"720,720\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"692f57e6-adda-41d4-bee5-85e4dcea6fb8\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-large-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" class=\"alignnone wp-image-351389 size-full\" src=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" alt=\"Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Dubbed &quot;ToolShell&quot; Exposes On-Premises Servers: Emergency Guidance Issued\" width=\"720\" height=\"720\" srcset=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 720w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-150x150.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 150w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=288&amp;ssl=1 288w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=432&amp;ssl=1 432w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/692f57e6-adda-41d4-bee5-85e4dcea6fb8-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=576&amp;ssl=1 576w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/a><\/p>\n<p class=\"my-0\">The attack sequence typically involves:<\/p>\n<ol class=\"marker:text-textOff list-decimal\">\n<li>\n<p class=\"my-0\"><strong>Sending a crafted POST request<\/strong> to a vulnerable SharePoint endpoint.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Triggering insecure deserialization,<\/strong> enabling arbitrary server-side code execution.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Planting a malicious ASPX backdoor<\/strong> for persistent access.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Extracting cryptographic machine keys<\/strong> to ensure ongoing control, even after future updates.<\/p>\n<\/li>\n<\/ol>\n<p class=\"my-0\">Because the exploit occurs prior to authentication, traditional perimeter defenses and credential-based access controls may not prevent compromise.<\/p>\n<h2 id=\"microsofts-emergency-guidance\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>Microsoft\u2019s Emergency Guidance<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">A <strong>security update for SharePoint Subscription Edition<\/strong> is now available.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>No patch yet for SharePoint 2016 or 2019<\/strong> as of July 20, 2025; development is ongoing.<\/p>\n<\/li>\n<\/ul>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Immediate Mitigation Steps<\/strong><\/h2>\n<p class=\"my-0\">Microsoft and leading cybersecurity agencies recommend the following urgent actions\u2014<strong>even if you believe your servers are not compromised<\/strong>:<\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Enable AMSI (Antimalware Scan Interface)<\/strong> and ensure Microsoft Defender Antivirus is running.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Deploy advanced threat protection solutions (e.g., Defender for Endpoint).<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Rotate cryptographic machine keys<\/strong> on potentially affected servers.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Remove direct internet access<\/strong> from vulnerable servers if AMSI cannot be enabled.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Inspect SharePoint servers for unfamiliar ASPX files and changes in machine keys.<\/p>\n<\/li>\n<\/ul>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Incident Response Recommendations<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Hunt for persistence:<\/strong> Review recently added web shells and machine key modifications.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Monitor for suspicious traffic:<\/strong> Examine network logs for indicators of compromise.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Prepare for the possibility of <strong>forced password resets<\/strong> and privilege audits.<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"detection-and-threat-hunting\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>Detection and Threat Hunting: Indicators of Compromise (IOCs)<\/strong><\/h2>\n<p class=\"my-0\">Security teams should:<\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Search server logs for malformed or unexpected POST requests to administrative SharePoint endpoints.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Look for unauthorized ASPX payloads dropped in SharePoint directories.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Track changes to ASP.NET machineKey configuration, especially additions or replacements.<\/p>\n<\/li>\n<\/ul>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Forensic Best Practices<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Quarantine compromised servers to prevent spread.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Preserve forensic copies of exploited systems before making configuration changes.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Share findings with relevant authorities, especially if protected personal or governmental data may be involved.<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"notable-sector--government-response\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>Notable Sector &amp; US Federal Government Response<\/strong><\/h2>\n<p class=\"my-0\">Due to the breadth of targeted attacks\u2014including several US government agencies\u2014the FBI and CISA are actively involved. Agencies running on-premises SharePoint have received urgent directives to isolate vulnerable systems and follow Microsoft\u2019s mitigation instructions.<\/p>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Global Perspective<\/strong><\/h2>\n<p class=\"my-0\">Reports from international cybersecurity watchdogs suggest <strong>similar attacks are underway in Europe, Asia, and Australia.<\/strong> Organizations in regulated industries\u2014including finance and energy\u2014are particularly high-value targets.<\/p>\n<h2 id=\"related-developments\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>Related Developments<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Patch Tuesday Recap:<\/strong> Over 128 separate vulnerabilities were addressed in <a href=\"https:\/\/msftnewsnow.com\/july-2025-microsoft-patch-tuesday-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s July 2025 Patch Tuesday release<\/a>, reinforcing the need for rigorous patch management\u2014even as this SharePoint zero-day remains unresolved in several product lines.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Recent Microsoft 365 Outages:<\/strong> Earlier this month, both Microsoft 365 Copilot and <a href=\"https:\/\/msftnewsnow.com\/microsoft-outlook-suffers-july-2025-global-outage\/\" target=\"_blank\" rel=\"noopener\">Outlook suffered a <strong>19-hour outage<\/strong><\/a>, providing a stark reminder of the importance of reliable backups and cloud redundancy.<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"how-to-protect-your-sharepoint-environmenta-practi\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>How to Protect Your SharePoint Environment<\/strong><\/h2>\n<p><a href=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&w=2560&ssl=1\"><img decoding=\"async\" data-attachment-id=\"351394\" data-permalink=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1\/#main\" data-orig-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-orig-size=\"1080,720\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"8a9e94fd-ff6d-42ec-857d-e2fbe9020aad (1)\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-large-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" class=\"alignnone size-full wp-image-351394\" src=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" alt=\": Emergency Guidance Issued\" width=\"1080\" height=\"720\" srcset=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 1080w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-150x100.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 150w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=216&amp;ssl=1 216w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=432&amp;ssl=1 432w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=648&amp;ssl=1 648w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/8a9e94fd-ff6d-42ec-857d-e2fbe9020aad-1-scaled.jpg?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=864&amp;ssl=1 864w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><\/p>\n<ol class=\"marker:text-textOff list-decimal\">\n<li>\n<p class=\"my-0\"><strong>Apply Security Updates:<\/strong><br \/>\n<a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108285\" target=\"_blank\" rel=\"noopener\">Immediately install available updates for SharePoint Subscription Edition<\/a>. Monitor Microsoft\u2019s official guidance for forthcoming patches for other versions.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Enable AMSI and Defender Antivirus:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Set Antimalware Scan Interface (AMSI) to active.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Ensure Microsoft Defender Antivirus or equivalent is running and updated.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Rotate Machine Keys:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Locate and rotate all cryptographic keys associated with ASP.NET in your SharePoint configuration.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Document all key rotations and distribute them securely per best practices.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Restrict Server Exposure:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Disable internet-facing endpoints for vulnerable servers wherever possible.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Use firewalls and network segmentation to prevent lateral movement.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Hunt for Backdoors:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Conduct thorough scans for unauthorized ASPX files or suspicious scheduled tasks on SharePoint servers.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Prepare for Incident Response:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Designate a response team.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Create a plan for forensic analysis, restoration, and communications (internal and regulatory).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"long-term-defense-strategies\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\"><strong>Long-Term Defense Strategies<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Transition to SharePoint Online:<\/strong> Where possible, migrate on-premises workloads to Microsoft 365 to benefit from more frequent automated security updates.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Maintain Comprehensive Backups:<\/strong> Store regular, immutable backups and test restoration procedures.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Regularly Review Server Hardening:<\/strong> Apply the principle of least privilege; audit all local and domain admin accounts regularly.<\/p>\n<\/li>\n<\/ul>\n<p class=\"my-0\">Microsoft SharePoint\u2019s ToolShell zero-day is one of the most significant server threats in recent years. Organizations with on-premises SharePoint deployments must act quickly: apply all available mitigations, watch for signs of compromise, and prepare for evolving attack techniques as more threat actors target this vector.<\/p>\n<p class=\"my-0\">More details\u2014including technical deep-dives and updated guidance\u2014<a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">will be published as Microsoft releases patches for additional product versions<\/a>. Stay tuned for ongoing analysis and actionable defense strategies.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has confirmed a major zero-day vulnerability is being actively exploited in on-premises SharePoint Server, with no patch currently available for most affected versions. Dubbed CVE-2025-53770\u2014nicknamed \u201cToolShell\u201d by researchers\u2014the Microsoft SharePoint flaw enables unauthenticated attackers to take full control of targeted SharePoint servers. As of July 20, 2025, the attacks have hit at least 75 &#8230; <a title=\"Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Exposes On-Premises Servers, Emergency Guidance Issued\" class=\"read-more\" href=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/\" aria-label=\"Read more about Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Exposes On-Premises Servers, Emergency Guidance Issued\">Read more<\/a><\/p>\n","protected":false},"author":208461344,"featured_media":351398,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[24,2448],"tags":[1348,829,1271,778,668,830,1133,123,32,1083,1188],"class_list":["post-351371","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-microsoft-365-and-office","tag-authentication","tag-copilot","tag-cybersecurity","tag-microsoft","tag-microsoft-365","tag-microsoft-365-copilot","tag-microsoft-defender","tag-outlook","tag-patch-tuesday","tag-security","tag-sharepoint"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/24e12846-443b-4210-a446-e47d0e59ecba-scaled.jpg","jetpack_shortlink":"https:\/\/wp.me\/pfgCZY-1tph","jetpack-related-posts":[{"id":351492,"url":"https:\/\/msftnewsnow.com\/chinese-hackers-exploit-sharepoint-vulnerabilities\/","url_meta":{"origin":351371,"position":0},"title":"Microsoft Says Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Immediate Security Updates Required","author":"Dave W. Shanahan","date":"July 22, 2025","format":false,"excerpt":"Microsoft has sounded the alarm after discovering ongoing, active exploitation of multiple critical SharePoint vulnerabilities in on-premises SharePoint Server deployments. The Microsoft Security Response Center (MSRC) blog published on July 19, 2025, reveals that Chinese nation-state actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, are targeting CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Microsoft Urges Immediate Security Updates","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/07\/png-transparent-microsoft-sharepoint-server-microsoft-project-web-part-document-share-blue-text-trademark.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/07\/png-transparent-microsoft-sharepoint-server-microsoft-project-web-part-document-share-blue-text-trademark.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/07\/png-transparent-microsoft-sharepoint-server-microsoft-project-web-part-document-share-blue-text-trademark.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/07\/png-transparent-microsoft-sharepoint-server-microsoft-project-web-part-document-share-blue-text-trademark.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":351573,"url":"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-hacks-us-nuclear-set\/","url_meta":{"origin":351371,"position":1},"title":"Microsoft SharePoint Zero-Day Exploit Exposes U.S. National Nuclear Security Administration (NNSA)","author":"Dave W. Shanahan","date":"July 23, 2025","format":false,"excerpt":"A severe zero-day vulnerability in Microsoft SharePoint Server has triggered a cybersecurity crisis, culminating in breaches of over 50 organizations, including the U.S. National Nuclear Security Administration (NNSA) \u2014 the agency responsible for America\u2019s nuclear arsenal security. As reported by Bloomberg, Microsoft and federal authorities confirm that the exploit has\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"Microsoft SharePoint Zero-Day Exploit Exposes U.S. National Nuclear Security Administration (NNSA)","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":352714,"url":"https:\/\/msftnewsnow.com\/sharepoint-zero-day-attacks-surge-over-400-orgshit\/","url_meta":{"origin":351371,"position":2},"title":"SharePoint Zero-Day Attacks Surge: Over 400 Organizations Breached Amid Critical Microsoft Vulnerabilities","author":"Dave W. Shanahan","date":"July 24, 2025","format":false,"excerpt":"A wave of cyberattacks linked to Chinese-backed threat actors is sweeping across global enterprises, exploiting multiple zero-day vulnerabilities in Microsoft SharePoint. These coordinated attacks\u2014leveraging CVE-2025-49704, CVE-2025-49706, and newly identified patch bypasses CVE-2025-53770 and CVE-2025-53771\u2014are fueling both ransomware outbreaks and strategic espionage campaigns. At least 400 organizations have been breached as\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"SharePoint Zero-Day Attacks Surge: Over 400 Organizations Breached Amid Critical Microsoft Vulnerabilities","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":20118,"url":"https:\/\/msftnewsnow.com\/security-updates-for-office-products-july-2024\/","url_meta":{"origin":351371,"position":3},"title":"Microsoft releases critical security updates for Office products, including SharePoint Server and Outlook in July 2024 Patch Tuesday","author":"Dave W. Shanahan","date":"July 26, 2024","format":false,"excerpt":"Microsoft has issued a series of important security updates for Office products as part of the July 2024 Patch Tuesday release. These updates address several vulnerabilities across various Office applications and services, aiming to enhance the security posture of Microsoft's productivity suite.","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/02\/office.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/02\/office.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/02\/office.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/02\/office.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":350079,"url":"https:\/\/msftnewsnow.com\/july-2025-microsoft-patch-tuesday-vulnerabilities\/","url_meta":{"origin":351371,"position":4},"title":"July 2025 Microsoft Patch Tuesday: 137 Vulnerabilities Fixed, One Zero-Day in SQL Server, Critical Office and AMD Flaws","author":"Dave W. Shanahan","date":"July 8, 2025","format":false,"excerpt":"Microsoft has released its July 2025 Patch Tuesday security updates, addressing a sweeping total of 137 vulnerabilities across its product portfolio. This month\u2019s Microsoft Patch Tuesday cycle is headlined by a publicly disclosed zero-day vulnerability in Microsoft SQL Server, alongside a host of critical flaws in Microsoft Office, SharePoint, and\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"July 2025 Microsoft Patch Tuesday: 137 Vulnerabilities Fixed, One Zero-Day in SQL Server, Critical Office and AMD Flaws","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":13656,"url":"https:\/\/msftnewsnow.com\/restricted-sharepoint-search-for-copilot\/","url_meta":{"origin":351371,"position":5},"title":"Unlocking Restricted SharePoint Search: Microsoft 365&#8217;s Copilot enhancement for streamlined access","author":"Dave W. Shanahan","date":"March 8, 2024","format":false,"excerpt":"Microsoft has introduced a new feature called Restricted SharePoint Search to bolster the data governance capabilities of Copilot for Microsoft 365. This addition is designed to give organizations more control over their site permissions while maintaining the deployment momentum of Copilot. Key Features of Restricted SharePoint Search Review and Audit\u2026","rel":"","context":"In &quot;AI and Copilot&quot;","block_context":{"text":"AI and Copilot","link":"https:\/\/msftnewsnow.com\/ai-and-copilot\/"},"img":{"alt_text":"Restricted SharePoint Search","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/posts\/351371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/users\/208461344"}],"replies":[{"embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/comments?post=351371"}],"version-history":[{"count":0,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/posts\/351371\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/media\/351398"}],"wp:attachment":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/media?parent=351371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/categories?post=351371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/tags?post=351371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}