Tech giant Microsoft has released security patches for the zero-day vulnerability chain dubbed ToolShell, capable of remote code execution on SharePoint.
Announced during the Berlin Pwn2Own conference, ToolShell exploits critical and medium security vulnerabilities CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.5), respectively.
CVE-2025-53770 appears to be related to the previously fixed high-severity security vulnerability CVE-2025-49704 (CVSS 8.8) patched on July Patch Wednesday.
Eye Security states that attackers exploit CVE-2025-49706, an authentication bypass vulnerability, according to ZDI, to post a remote code execution payload and exploit CVE-2025-49704.
The payload steals the MachineKey configuration, ValidationKey, and DecryptionKey for persistence and lateral movement.
Besides code injection, the vulnerability chain allows threat actors to deserialize untrusted data and execute commands before authenticating.
“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” reads Microsoft’s security advisory.
Emergency updates for the SharePoint zero-day vulnerability
The security flaws were previously patched on July Patch Tuesday, but threat actors discovered how to circumvent the security fixes, resulting in the exploitation of at least 54 organizations worldwide.
“The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected,” stated Satnam Narang, Sr. Staff Research Engineer at Tenable.
Targeted organizations include multinational companies and government entities. Although the motive of the attacks remains unknown, cyber espionage by state-linked threat actors is a likely reason.
The tech giant acknowledged the exploitation of the zero-day vulnerability chain affecting on-premises SharePoint Server installations. However, the Microsoft SharePoint Online servers on Microsoft 365 tenants were not affected.
The exploitation of the zero-day vulnerability chain prompted the Windows maker to release security updates for Microsoft SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016 for both CVE-2025-53770 and CVE-2025-53771.
These are cumulative updates, meaning that if previous updates for the zero-vulnerability chain were not installed, there is no need to install them. However, both updates for SharePoint 2016 and 2019 should be installed.
“Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706,” writes the Windows maker.
After installing the emergency updates, system administrators should also rotate SharePoint machine keys manually via PowerShell or the Central Admin as they could be used to facilitate attacks.
“Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey,” further explained Narang. “These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution.”
System admins should also analyze logs for attempted exploitation and respond accordingly. Microsoft also advises customers who are unable to patch their SharePoint servers to configure the Antimalware Scan Interface (AMSI) integration and install Defender AV on all SharePoint servers.
Organizations that cannot implement these mitigations should disconnect on-premises SharePoint Servers from the internet to avoid exploitation.
“First, organizations should immediately remove these potentially affected servers from public internet access until they can confirm that all servers are either patched and/or not compromised,” urged Steve Cobb, CISO at SecurityScorecard.
Meanwhile, Microsoft promises that it is working on a comprehensive security update for the zero-day vulnerability chain.
Active exploitation of zero-day vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has also acknowledged the exploitation of the zero-day vulnerability chain in the wild.
“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” said Acting Executive Assistant Director for Cybersecurity, Chris Butera.
However, the agency commended Microsoft for its prompt response and urged organizations to implement the recommended mitigations to prevent further attacks exploiting the zero-day vulnerability chain.
“CISA has confirmed that hackers are actively exploiting a newly discovered vulnerability (CVE-2025-53770), dubbed ‘ToolShell’ in on-premises SharePoint servers,” noted Cobb. “This is a critical zero-day issue, meaning the vendor, Microsoft, had ‘zero days’ to fix it before attackers started using it.”
