Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Hackers actively exploiting unpatched Microsoft SharePoint vulnerability CVE-2025-53770

    Karlston

    By Karlston,
    Published Date:

    • 743 views
    • 2 minutes
     Share
    • 743 views
    • 2 minutes

    Over the last weekend, numerous cybersecurity agencies revealed new cybersecurity attacks targeting on-premises SharePoint Server customers by exploiting unpatched vulnerabilities. The CVE-2025-53770, also referred to as ToolShell, enables attackers to gain control of SharePoint servers without authentication.

     

    Microsoft is aware of these active attacks and announced that these issues are partially addressed by the July Security Update. It is important to note that these vulnerabilities affect only on-premises SharePoint Servers. Microsoft specifically highlighted that SharePoint Online in Microsoft 365 is not impacted.

     

    Customers can download the July Security Update for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019 using the following links:

     

     

    While Microsoft is working to release a hotfix to address this security vulnerability completely, customers can follow the following steps to mitigate the issue:

     

    • Use supported versions of on-premises SharePoint Server.
    • Apply the latest security updates, including the July 2025 Security Update.
    • Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Microsoft Defender Antivirus.
    • Deploy Microsoft Defender for Endpoint protection or an equivalent endpoint threat solution.
    • Rotate SharePoint Server ASP.NET machine keys.

     

    Microsoft also noted that Microsoft Defender Antivirus can already detect if a server is affected by this vulnerability. Customers can find these threats under the following detection names:

     

    • Exploit:Script/SuspSignoutReq.A
    • Trojan:Win32/HijackSharePointServer.A

     

    "Our team scanned 8000+ SharePoint servers worldwide. We discovered dozens of systems actively compromised, probably on July 18th around 18:00 UTC and July 19th around 07:30 UTC," wrote the cybersecurity research firm, Eye.

     

    Given the active exploitation of this vulnerability, it is crucial for all on-premises SharePoint administrators to apply the latest security updates and implement the recommended mitigation steps immediately.

     

    Source

    Hope you enjoyed this news post.

    Posted Monday 21 July 2025 at 5:45 pm AEST (my time).

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

    RIP Matrix | Farewell my friend  

    • Matt and phen0men4
    • Like 2
     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...