A Microsoft SharePoint 0-Day Security Vulnerability Was Just Weaponized At Scale
The vulnerability in question affects SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016. Thankfully, the cloud service SharePoint Online in Microsoft 365 is unaffected. The exploit in question is actually a chaining of related vulnerabilities, starting with letting an authenticated user spoof their identity, then using that to post a carefully crafted HTTP request to a SharePoint URL, then extracting the SharePoint machine authentication keys. From that point on, it's pretty much free reign.
The first exploit chain is called ToolShell, found by Code White GmbH, comprising CVE-2025-49704 and CVE-2025-49706. According to the detailed account by Eye Security, at the time those vulnerabilities were just a proof-of-concept, but eventually the team found signs of active exploitation on a particular server. They then scanned over 8,000 machines and found "dozens" of compromised installations, concluding that there were already active exploits in the wild.
Thankfully, the vulnerabilities have already been patched. Microsoft rolled up the vulnerabilities under the umbrella of CVE-2025-53771 and published a detailed advisory for patching and mitigation. The summary is that administrators should predictably install the latest patches, including the July 2025 security updates, enable Antimalware Scan Interface with an accompanying security suite (Microsoft Defender or other), and deploy Defender for Endpoint protection or an equivalent. Very importantly, you need to rotate the SharePoint Server ASP.NET security keys, since those are presumed to be stolen already.
