Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
CVE-2025-53770, also known as ToolShell, is already being actively exploited in the wild, and both government and enterprise targets are under attack.
The Australian Signals Directorate’s Australian Cyber Security Centre has released an “act now” critical alert regarding a vulnerability in Microsoft Office SharePoint Server products.
The bug – officially CVE-2025-53770, but also known publicly as ToolShell – is a variant of the previously disclosed vulnerability CVE-2025-49706.
Exploitation of this vulnerability enables the “deserialisation of untrusted data in on-premises Microsoft SharePoint Servers,” which in turn could lead to remote code execution and full access to SharePoint content.
The US Cybersecurity and Infrastructure Security Agency (CISA) also circulated guidance on the active exploitation of the vulnerability.
“For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706,” CISA said in a 21 July update.
“Organisations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.”
Benjamin Harris, CEO of cyber security firm watchTowr, said his firm was actively tracking exploitation of the vulnerability as of the time of writing.
“We are currently tracking active, global exploitation of a zero-day vulnerability in on-premise Microsoft SharePoint, now designated CVE-2025-53770. While Microsoft have released emergency guidance, there is no patch available at this time,” Harris said.
“All signs point to widespread, mass exploitation – with compromised government, technology, and enterprise systems observed globally. Attackers are deploying persistent backdoors, and notably, are taking a more sophisticated route than usual: the backdoor retrieves SharePoint’s internal cryptographic keys – specifically the MachineKey used to secure the __VIEWSTATE parameter.”
__VIEWSTATE is one of the core moving parts of ASP.NET, and it stores information in between receiving requests
“With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid – enabling seamless remote code execution,” Harris said.
“This approach makes remediation particularly difficult – a typical patch would not automatically rotate these stolen cryptographic secrets, leaving organisations vulnerable even after they patch. In this case, Microsoft will likely need to recommend additional steps to remediate the vulnerability and any compromise post-response.”
According to Harris, any internet-facing SharePoint instance should be assumed to be compromised “until proven otherwise”.
While Microsoft is working on a security update to address CVE-2025-53770, it has the following advice to mitigate attacks:
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
