{"id":3762,"date":"2025-07-24T07:12:38","date_gmt":"2025-07-24T07:12:38","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3762"},"modified":"2025-08-01T05:59:46","modified_gmt":"2025-08-01T05:59:46","slug":"toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/","title":{"rendered":"ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-what-happened\">What Happened?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A new zero-day vulnerability in Microsoft SharePoint Server, known as ToolShell, is being actively exploited.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The flaw, CVE-2025-53770, is classified as critical and has already been exploited in monkey patches across federal agencies in the U.S., as well as in governments in Europe and the enterprise energy and education sectors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770\">On July 21, Microsoft released an emergency patch<\/a>, but before the sufficiency of the patching could be established, attackers already exploited the first exploit during the POC operation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This enabled an unidentified adversary to access the SharePoint system with unauthenticated, remote access, potentially allowing control without dominion over authentication and\/or authentication tokens, and\/or stealing the cryptographic key (secret) that would enable long-term persistence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The situation presents further cause for alarm, revealing once again the cavalier way enterprise software security posture and cryptographic hygiene have developed against traditional and modern threat actor resources.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-toolshell-exploit\">What is the ToolShell Exploit?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The ToolShell exploit is a zero-day attack chain that exploits Microsoft SharePoint Server. It exploits a critical deserialization vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53770\">CVE-2025-53770<\/a>) to get full unauthenticated remote access to on-premises servers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because it requires zero user interaction to carry out the attack, the exploit is effective against the enterprise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ToolShell exploits SharePoint 2019 and SharePoint Subscription Edition &#8211; it does not affect SharePoint Online (Microsoft 365).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-the-threat-matters\">Why the Threat Matters?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVSS Score:<\/strong> 9.8 (Critical)<\/li>\n\n\n\n<li><strong>Vulnerabilities Involved:<\/strong> CVE-2025-53770 and CVE-2025-53771<\/li>\n\n\n\n<li><strong>Attack Type:<\/strong> Remote Code Execution (RCE)<\/li>\n\n\n\n<li><strong>Impact:<\/strong> Full system control, shell access, persistent backdoors<\/li>\n\n\n\n<li><strong>Affected: <\/strong>U.S. government, energy companies, universities, and telecoms<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-does-the-toolshell-attack-work\">How Does the ToolShell Attack Work?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Crafted Payload:<\/strong> Attackers craft a .NET ViewState payload that is malicious.<\/li>\n\n\n\n<li><strong>No Authentication Required:<\/strong> The exploit does not require valid credentials to log in.<\/li>\n\n\n\n<li><strong>Code Execution:<\/strong> The malicious code gets executed remotely on the SharePoint server.<\/li>\n\n\n\n<li><strong>Persistence: <\/strong>Attackers deploy web shells for persistence.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The Ontinue ATO team verified that attackers are leveraging a tool like ysoserial to create signed, valid payloads by using the leaked ValidationKey values.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-contributed-to-this\">What Contributed to This?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improper Deserialization:<\/strong> SharePoint does not safely parse untrusted serialized data.<\/li>\n\n\n\n<li><strong>Keys Exposed:<\/strong> Attackers extract cryptographic keys from memory or config.<\/li>\n\n\n\n<li><strong>Code Injection:<\/strong> They utilize a signing key to persuade SharePoint to execute their malicious objects.<\/li>\n\n\n\n<li><strong>Chained Vulnerabilities:<\/strong> This is the combination of CVE-2025-53770 and the traversal issue CVE-2025-53771.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-is-at-risk\">Who Is at Risk?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>U.S. federal and state agencies.<\/li>\n\n\n\n<li>Energy and telecommunications providers.<\/li>\n\n\n\n<li>Universities and research institutions.<\/li>\n\n\n\n<li>Any business using on-premises SharePoint 2016 \/ 2019 \/ Subscription Edition.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-key-takeaways-from-security-experts\">Key Takeaways from Security Experts<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/20\/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-catalog\">CISA added CVE-2025-53770<\/a> to its Known Exploited Vulnerabilities (KEV) catalog.<\/li>\n\n\n\n<li><a href=\"https:\/\/research.eye.security\/sharepoint-under-siege\/\">Eye Security scanned over 8,000 servers<\/a> and found dozens that were actively compromised.<\/li>\n\n\n\n<li>The Washington Post confirmed that the exploit had been used against U.S. federal agencies.<\/li>\n\n\n\n<li>Experts suspect it is groups like Silk Typhoon or Storm-0506 (Black Basta).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-will-you-do-now\">What Will You Do Now?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-apply-patches\">Apply Patches<\/h3>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Install the Microsoft security patch from July 2025 for SharePoint 2019 and SharePoint Subscription Edition.<\/li>\n\n\n\n<li>Microsoft Patch Instructions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-mitigation-for-sharepoint-2016\">Mitigation for SharePoint 2016<\/h3>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Disconnect any servers from the internet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-enable-microsoft-defender-antivirus-in-addition-to-the-amsi-integration\">Enable Microsoft Defender Antivirus in addition to the AMSI Integration<\/h3>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Turn on Threat Detection Tools<\/li>\n\n\n\n<li>Use Microsoft Defender for Endpoint to see if post-exploitation activity has occurred.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-audit-your-exposure\">Audit Your Exposure<\/h3>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Look for odd ViewState activity and unexpected shell files or obfuscated script paths.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The ToolShell exploit is a serious, active, and widespread threat against vulnerable Microsoft SharePoint servers. This exploit doesn&#8217;t require any user interaction, and organizations must act quickly to patch systems or isolate those that are exposed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you do not respond to this threat, you may fail to address the remote execution of commands, data breaches, or provide persistent access to an attacker. Stay protected with <a href=\"https:\/\/certera.com\/services\">professional cyber security services and solutions<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What Happened? A new zero-day vulnerability in Microsoft SharePoint Server, known as ToolShell, is being actively exploited. The flaw, CVE-2025-53770, is classified as critical and has already been exploited in monkey patches across federal agencies in the U.S., as well as in governments in Europe and the enterprise energy and education sectors. On July 21,<span class=\"morelink d-block mt-3\"><a href=\"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":3763,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,32],"tags":[726,727,725],"class_list":["post-3762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-breach","category-vulnerability","tag-cve-2025-53770","tag-cve-2025-53771","tag-microsoft-sharepoint-flaws","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>ToolShell Exploited: SharePoint Zero-Day Vulnerability CVE-2025-53770<\/title>\n<meta name=\"description\" content=\"Microsoft has released emergency patches to fix 2 actively exploited zero-day vulnerabilities in Microsoft SharePoint Server.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ToolShell Exploited: SharePoint Zero-Day Vulnerability CVE-2025-53770\" \/>\n<meta property=\"og:description\" content=\"Microsoft has released emergency patches to fix 2 actively exploited zero-day vulnerabilities in Microsoft SharePoint Server.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/\" \/>\n<meta property=\"og:site_name\" content=\"EncryptedFence by Certera - Web &amp; Cyber Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/certeraLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-24T07:12:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-01T05:59:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/sharepoint-flow-exploited-cve-2025-53770.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"620\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:site\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/\"},\"author\":{\"name\":\"Janki Mehta\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\"},\"headline\":\"ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately\",\"datePublished\":\"2025-07-24T07:12:38+00:00\",\"dateModified\":\"2025-08-01T05:59:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/\"},\"wordCount\":622,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/sharepoint-flow-exploited-cve-2025-53770.webp\",\"keywords\":[\"CVE-2025-53770\",\"CVE-2025-53771\",\"Microsoft SharePoint flaws\"],\"articleSection\":[\"Data Breach\",\"Vulnerability\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/\",\"name\":\"ToolShell Exploited: SharePoint Zero-Day Vulnerability CVE-2025-53770\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/sharepoint-flow-exploited-cve-2025-53770.webp\",\"datePublished\":\"2025-07-24T07:12:38+00:00\",\"dateModified\":\"2025-08-01T05:59:46+00:00\",\"description\":\"Microsoft has released emergency patches to fix 2 actively exploited zero-day vulnerabilities in Microsoft SharePoint Server.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#primaryimage\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/sharepoint-flow-exploited-cve-2025-53770.webp\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/sharepoint-flow-exploited-cve-2025-53770.webp\",\"width\":960,\"height\":620,\"caption\":\"SharePoint Vulnerability (CVE-2025-53770)\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/certera.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"name\":\"EncryptedFence by Certera - Web & Cyber Security Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"alternateName\":\"Certera's EncryptedFence Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/certera.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\",\"name\":\"Certera\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"caption\":\"Certera\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/certeraLLC\\\/\",\"https:\\\/\\\/x.com\\\/certera_llc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/certera-llc\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\",\"name\":\"Janki Mehta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"caption\":\"Janki Mehta\"},\"description\":\"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\\\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.\",\"sameAs\":[\"https:\\\/\\\/certerassl.com\\\/\"],\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/author\\\/certerabguser\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ToolShell Exploited: SharePoint Zero-Day Vulnerability CVE-2025-53770","description":"Microsoft has released emergency patches to fix 2 actively exploited zero-day vulnerabilities in Microsoft SharePoint Server.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/","og_locale":"en_US","og_type":"article","og_title":"ToolShell Exploited: SharePoint Zero-Day Vulnerability CVE-2025-53770","og_description":"Microsoft has released emergency patches to fix 2 actively exploited zero-day vulnerabilities in Microsoft SharePoint Server.","og_url":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/","og_site_name":"EncryptedFence by Certera - Web &amp; Cyber Security Blog","article_publisher":"https:\/\/www.facebook.com\/certeraLLC\/","article_published_time":"2025-07-24T07:12:38+00:00","article_modified_time":"2025-08-01T05:59:46+00:00","og_image":[{"width":960,"height":620,"url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/sharepoint-flow-exploited-cve-2025-53770.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_creator":"@certera_llc","twitter_site":"@certera_llc","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#article","isPartOf":{"@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/"},"author":{"name":"Janki Mehta","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7"},"headline":"ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately","datePublished":"2025-07-24T07:12:38+00:00","dateModified":"2025-08-01T05:59:46+00:00","mainEntityOfPage":{"@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/"},"wordCount":622,"commentCount":0,"publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"image":{"@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/sharepoint-flow-exploited-cve-2025-53770.webp","keywords":["CVE-2025-53770","CVE-2025-53771","Microsoft SharePoint flaws"],"articleSection":["Data Breach","Vulnerability"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/certera.com\/blog\/#organization"}},{"@type":"WebPage","@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/","url":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/","name":"ToolShell Exploited: SharePoint Zero-Day Vulnerability CVE-2025-53770","isPartOf":{"@id":"https:\/\/certera.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#primaryimage"},"image":{"@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/sharepoint-flow-exploited-cve-2025-53770.webp","datePublished":"2025-07-24T07:12:38+00:00","dateModified":"2025-08-01T05:59:46+00:00","description":"Microsoft has released emergency patches to fix 2 actively exploited zero-day vulnerabilities in Microsoft SharePoint Server.","breadcrumb":{"@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#primaryimage","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/sharepoint-flow-exploited-cve-2025-53770.webp","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/sharepoint-flow-exploited-cve-2025-53770.webp","width":960,"height":620,"caption":"SharePoint Vulnerability (CVE-2025-53770)"},{"@type":"BreadcrumbList","@id":"https:\/\/certera.com\/blog\/toolshell-zero-day-us-cisa-urges-fceb-agencies-to-fix-2-microsoft-sharepoint-flaws-immediately\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/certera.com\/blog\/"},{"@type":"ListItem","position":2,"name":"ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately"}]},{"@type":"WebSite","@id":"https:\/\/certera.com\/blog\/#website","url":"https:\/\/certera.com\/blog\/","name":"EncryptedFence by Certera - Web & Cyber Security Blog","description":"","publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"alternateName":"Certera's EncryptedFence Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/certera.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/certera.com\/blog\/#organization","name":"Certera","url":"https:\/\/certera.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","caption":"Certera"},"image":{"@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/certeraLLC\/","https:\/\/x.com\/certera_llc","https:\/\/www.linkedin.com\/company\/certera-llc\/"]},{"@type":"Person","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7","name":"Janki Mehta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","caption":"Janki Mehta"},"description":"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.","sameAs":["https:\/\/certerassl.com\/"],"url":"https:\/\/certera.com\/blog\/author\/certerabguser\/"}]}},"_links":{"self":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/comments?post=3762"}],"version-history":[{"count":4,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3762\/revisions"}],"predecessor-version":[{"id":3802,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3762\/revisions\/3802"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media\/3763"}],"wp:attachment":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media?parent=3762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/categories?post=3762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/tags?post=3762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}