ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately

1 Star2 Stars3 Stars4 Stars5 Stars (10 votes, average: 5.00 out of 5)
Loading...
Last Modified: August 1, 2025
SharePoint Vulnerability (CVE-2025-53770)

What Happened?

A new zero-day vulnerability in Microsoft SharePoint Server, known as ToolShell, is being actively exploited.

The flaw, CVE-2025-53770, is classified as critical and has already been exploited in monkey patches across federal agencies in the U.S., as well as in governments in Europe and the enterprise energy and education sectors.

On July 21, Microsoft released an emergency patch, but before the sufficiency of the patching could be established, attackers already exploited the first exploit during the POC operation.

This enabled an unidentified adversary to access the SharePoint system with unauthenticated, remote access, potentially allowing control without dominion over authentication and/or authentication tokens, and/or stealing the cryptographic key (secret) that would enable long-term persistence.

The situation presents further cause for alarm, revealing once again the cavalier way enterprise software security posture and cryptographic hygiene have developed against traditional and modern threat actor resources.

What is the ToolShell Exploit?

The ToolShell exploit is a zero-day attack chain that exploits Microsoft SharePoint Server. It exploits a critical deserialization vulnerability (CVE-2025-53770) to get full unauthenticated remote access to on-premises servers.

Because it requires zero user interaction to carry out the attack, the exploit is effective against the enterprise.

ToolShell exploits SharePoint 2019 and SharePoint Subscription Edition – it does not affect SharePoint Online (Microsoft 365).

Why the Threat Matters?

  • CVSS Score: 9.8 (Critical)
  • Vulnerabilities Involved: CVE-2025-53770 and CVE-2025-53771
  • Attack Type: Remote Code Execution (RCE)
  • Impact: Full system control, shell access, persistent backdoors
  • Affected: U.S. government, energy companies, universities, and telecoms

How Does the ToolShell Attack Work?

  • Crafted Payload: Attackers craft a .NET ViewState payload that is malicious.
  • No Authentication Required: The exploit does not require valid credentials to log in.
  • Code Execution: The malicious code gets executed remotely on the SharePoint server.
  • Persistence: Attackers deploy web shells for persistence.

The Ontinue ATO team verified that attackers are leveraging a tool like ysoserial to create signed, valid payloads by using the leaked ValidationKey values.

What Contributed to This?

  • Improper Deserialization: SharePoint does not safely parse untrusted serialized data.
  • Keys Exposed: Attackers extract cryptographic keys from memory or config.
  • Code Injection: They utilize a signing key to persuade SharePoint to execute their malicious objects.
  • Chained Vulnerabilities: This is the combination of CVE-2025-53770 and the traversal issue CVE-2025-53771.

Who Is at Risk?

  • U.S. federal and state agencies.
  • Energy and telecommunications providers.
  • Universities and research institutions.
  • Any business using on-premises SharePoint 2016 / 2019 / Subscription Edition.

Key Takeaways from Security Experts

  • CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog.
  • Eye Security scanned over 8,000 servers and found dozens that were actively compromised.
  • The Washington Post confirmed that the exploit had been used against U.S. federal agencies.
  • Experts suspect it is groups like Silk Typhoon or Storm-0506 (Black Basta).

What Will You Do Now?

Apply Patches

  • Install the Microsoft security patch from July 2025 for SharePoint 2019 and SharePoint Subscription Edition.
  • Microsoft Patch Instructions

Mitigation for SharePoint 2016

  • Disconnect any servers from the internet.

Enable Microsoft Defender Antivirus in addition to the AMSI Integration

  • Turn on Threat Detection Tools
  • Use Microsoft Defender for Endpoint to see if post-exploitation activity has occurred.

Audit Your Exposure

  • Look for odd ViewState activity and unexpected shell files or obfuscated script paths.

Conclusion

The ToolShell exploit is a serious, active, and widespread threat against vulnerable Microsoft SharePoint servers. This exploit doesn’t require any user interaction, and organizations must act quickly to patch systems or isolate those that are exposed.

If you do not respond to this threat, you may fail to address the remote execution of commands, data breaches, or provide persistent access to an attacker. Stay protected with professional cyber security services and solutions.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.