C organisations globally to apply emergency patches for Microsoft SharePoint Servers after two critical new vulnerabilities, including a severe“ zero-day” exploit, were found to be actively targeted by cybercriminals. The flaws could grant attackers full control over compromised systems.
INTELLIGENT SERVERS
Microsoft SharePoint flaws under active attack from Chinese hack groups
Microsoft has confirmed that three hacking groups tied to China exploited vulnerabilities in on-prem SharePoint servers.
ybersecurity experts are urging
C organisations globally to apply emergency patches for Microsoft SharePoint Servers after two critical new vulnerabilities, including a severe“ zero-day” exploit, were found to be actively targeted by cybercriminals. The flaws could grant attackers full control over compromised systems.
A report by Bitsight that unpicks the vulnerabilities, stated:“ Compromises associated with CVE-2025-53770 and CVE- 2025-53771 have affected an estimated 75 – 85 + servers globally. The impacted sectors are reported to be Education, Finance, Government, Healthcare, Energy, Telecom, and Enterprise Environments. There are an estimated 9,000 services at risk globally.”
The vulnerabilities, identified as CVE-2025- 53770( known as“ ToolShell”) and CVE-2025- 53771, pose a significant threat to onpremises Microsoft SharePoint environments. Bitsight Research has rated CVE-2025-53770 with the highest possible severity of 10 out of 10 on its Dynamic Vulnerability Exploit( DVE) scale, indicating extreme urgency. Its variant, CVE-2025-53771, classified as a Server Spoofing Vulnerability, scores 5.82 out of 10.
The primary concern with CVE-2025-53770 is its enablement of remote code execution( RCE). This means attackers can execute any command or program on a vulnerable server without needing login credentials, allowing them to gain complete control. This access can lead to file manipulation, configuration changes, and lateral movement across the network, exposing critical information. Crucially, both vulnerabilities can be exploited remotely simply by sending a specially crafted web request, making them highly dangerous, especially for unpatched systems.
Security researchers have observed cyberthreat actors actively chaining both CVEs( CVE-2025-53771 and CVE-2025- 53770) to bypass previous patches related to earlier SharePoint vulnerabilities( CVE-2025-49704 and CVE-2025-49706). Attackers have reportedly deployed web shells, stolen cryptographic MachineKey secrets, bypassed multi-factor authentication, and established persistent access.
In response to the severity and active exploitation of“ ToolShell,” CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities( KEV) list on 20 July 2025, mandating immediate remediation for federal agencies upon patch release.
Microsoft has since released emergency security updates for all supported onpremises versions of SharePoint, including SharePoint Server 2016, 2019, and Subscription Edition. These patches directly address the RCE and path traversal flaws linked to the“ ToolShell” exploit chain and are enhanced versions of previous updates. It’ s important to note that SharePoint Online in Microsoft 365 is not affected.
Estimates suggest that between 75 and 85 servers globally have already been compromised by these vulnerabilities across sectors including Education, Finance, Government, Healthcare, Energy, Telecom, and Enterprise Environments, with approximately 9,000 services still at risk worldwide.
Organisations running affected SharePoint Server versions are strongly advised to apply the relevant updates immediately:
• SharePoint Server Subscription Edition: KB 5002768
• SharePoint Server 2019: KB 5002754
• SharePoint Server 2016: KB 5002760
In addition to patching, organisations should implement further mitigation measures including enabling AMSI integration with Microsoft Defender AV, rotating MachineKey after patching, scanning for webshell indicators like spinstall0. aspx, and enhancing logging and lateral-movement monitoring.
WWW. INTELLIGENTCISO. COM 33