Critical Alert: Microsoft SharePoint On-Premises Servers Targeted in Zero-Day Exploit

A newly discovered zero-day vulnerability in Microsoft SharePoint Server is being actively exploited, placing businesses and government agencies at risk. The desktop name for the exploit is ToolShell (CVE-2025-53770 and CVE-2025- 53771). Hackers can bypass login protections and seize control of servers with no user interaction required.

WHY IT MATTERS

Security experts describe ToolShell as a “worst-case scenario” exploit because it’s trivial to weaponize and has already been used against hundreds of global targets including universities, healthcare providers, and government agencies. With widespread compromise reported since July 18, this is a clear and present danger.

WHO’S AT RISK

Only on-premises SharePoint Server deployments are affected; specifically, SharePoint Server 2019, Subscription Edition, and possibly 2016. Cloud-based SharePoint Online (Microsoft 365) is NOT affected, but any legacy on-prem SharePoint still live is at risk.

This kind of exploit can be disastrous for organizations handling sensitive data, as it allows attackers to steal documents, access internal systems, and even disrupt operations without detection.

HOW THEY’RE ATTACKING

• Attackers send a specially crafted web request to on-prem SharePoint with no authentication required
• They bypass built-in security checks and drop a malicious web shell
• The web shell steals encryption keys, granting attackers full administrative control
• From there, attackers can move laterally into Teams, OneDrive, Outlook, exfiltrate data, or deploy ransomware

HOW ISI CAN HELP

We’ve audited all managed client environments. None of our customers currently operate SharePoint Online or on-prem SharePoint deployments. As such, no immediate action is required from your side.

We’re actively monitoring the situation and remain ready to respond in case it evolves into a broader platform risk.

If you’d like assistance confirming there are no legacy or unknown systems in your environment, we’re here to assist you with:

• Verifying whether any on-prem SharePoint servers are deployed
• Applying emergency patches
• Rotating cryptographic keys
• Investigating potential signs of compromise

WHAT TO DO NOW

IF YOU RUN ON-PREM SHAREPOINT SERVER:

1. Apply emergency patches IMMEDIATELY.
   • Install Microsoft’s updates for Subscription Edition or SharePoint 2019.
2. Disconnect affected servers from the internet until patched.
3. Review server activity logs for suspicious logins or file drops since July 18.
4. Rotate encryption keys as they may have been stolen during attacks.
5. Increase monitoring on interconnected services (Teams, OneDrive, Outlook).

IF YOU USE SHAREPOINT ONLINE ONLY:

• You are not affected by this vulnerability.
• Still, verify no on-prem servers are running or accidentally exposed.

If you have SharePoint Server on-premises, patch now, isolate the server, and review for signs of attack. If you’re cloud-only, confirm that no legacy infrastructure is hiding in the shadows.

Resources:

• Patch Now: SharePoint Servers at Risk of New RCE Attack
• Hackers exploit recently discovered vulnerability on Microsoft SharePoint servers | AP News

Stay safe,
— The ISI Cybersecurity Team