This weekend, Microsoft confirmed that sophisticated threat actors are exploiting a previously unknown (“zero-day”) vulnerability, CVE-2025-53770 (and related CVE-2025-53771), in on-premises SharePoint Server (2016, 2019, Subscription Edition). First unveiled as “ToolShell” during the Pwn2Own Berlin contest in mid-May, attackers began active campaigns around July 18, 2025, compromising dozens, and potentially up to 10,000+, SharePoint installations across government, healthcare, energy, telecom, and higher-education sectors.
What Is This Exploit?
- Vulnerability Chain: Bypasses authentication and deserializes untrusted data for unauthenticated remote code execution (RCE), giving attackers full control over file systems, configurations, and internal services.
- Persistence Mechanism: Leveraging Pwn2Own bugs and deserialization flaws, attackers steal cryptographic keys (e.g., MachineKey for __VIEWSTATE), implanting backdoors that survive patching or reboots.
- Scope: Only on-prem SharePoint Server is affected—SharePoint Online in Microsoft 365 is safe.
How “ToolShell” Works
Authentication Bypass & RCE
An attacker sends crafted data that deserializes on the server, gaining unauthenticated code execution.Key Theft & Backdoor Implantation
Post-exploit, cryptographic keys (e.g., MachineKey) are exfiltrated to install stealth web-shells.Covert Persistence
Backdoors remain even after patching—unless keys and credentials are rotated.
What You Need to Do
If you manage an on-premises SharePoint Server (2016, 2019, or Subscription Edition), you must act right now. Attackers are exploiting a new zero-day vulnerability—CVE-2025-53770 & 53771—nicknamed ToolShell, to gain full remote code execution, steal documents, credentials, and cryptographic keys, and implant persistent backdoors.
Emergency Security Review
Secure Your Houston SMB Before It’s Too Late
Think you might already be under attack? Our experts will perform a deep-dive into your SharePoint environment (patch validation, log analysis, and forensic triage) to uncover any active compromise before it’s too late.
Why You Need to Act Immediately
- Exploit in the Wild
Active attacks began July 18, 2025, hitting government, healthcare, education, energy, and telecom sectors. - High Severity
Unauthenticated attackers can bypass authentication and execute arbitrary code. - Persistent Backdoor
Even after patching, stolen MachineKeys allow attackers to maintain access. - Scale of Risk
Tens of thousands of servers remain vulnerable.
What You Need to Do: 6 Critical Steps
Apply Emergency Patches Now
2019 & Subscription Edition: Install KB5002754 & KB5002768 (released July 20).
2016: Watch for Microsoft’s upcoming patch and schedule it immediately upon release.
Isolate Vulnerable Servers
Disconnect from the Internet if you cannot patch right away.
Lock down network access with strict firewall rules and VLAN segmentation.
Rotate All Cryptographic Keys & Credentials
Assume any internet-accessible, pre-patch server was compromised.
Rotate MachineKeys (__VIEWSTATE keys), service account passwords, and SSH keys.
Deploy Continuous Monitoring & Runtime Protection
Enable Microsoft Defender for SharePoint Server and AMSI integration.
Install a next-gen EDR solution to detect web-shells, spoofing, and anomalous behaviors.
Conduct a Full Security Audit
Scan for indicators of compromise (IoCs): web-shells, unusual account activity, encrypted payloads.
Review logs from July 15 onward for deserialization errors or spoofing events.
Plan for Cloud Migration
Evaluate moving to SharePoint Online (Microsoft 365), where Microsoft manages patches and runtime defenses for you.
Work with ECS to design a secure, phased migration that minimizes downtime.
Summary
Aspect | Details |
|---|---|
Timeline | Exploit chain publicly demonstrated May 2025; active attacks began July 18, 2025. |
Affected | SharePoint Server 2016, 2019, Subscription Edition (on-prem) |
Risk | Full RCE → theft of documents, credentials, cryptographic keys → persistent backdoors. |
Scale | Dozens confirmed breached; up to 10,000+ servers at risk. |
Patch Status | Microsoft released KB5002754 & KB5002768 for 2019/Subscription Edition on July 20, 2025; 2016 patch pending. |
Mitigation | Emergency patching, key rotation, isolation, runtime defenses, thorough audit, consider cloud migration. |
Free Zero-Day IT Consultation
Unsure which servers in your network are exposed? Chat with us—no strings attached. Know your risk, then act with confidence.
Frequently Asked Questions (FAQ)
Q: Is SharePoint Online affected?
A: No. Only on-premises SharePoint Server installations are vulnerable—SharePoint Online in Microsoft 365 is not impacted.
Q: What if I can’t patch immediately?
A: Disconnect vulnerable servers from the internet, isolate them on a secured VLAN, and rotate credentials. Then apply patches as soon as they’re available.
Q: How do I know if I’ve been breached?
A: Look for unexpected web-shell files, abnormal __VIEWSTATE activity, or unauthorized administrative logins in your logs. ECS can perform a forensic audit to confirm.
Q: What makes this a “zero-day”?
A: The vulnerability was unknown to Microsoft until mid-May. Attackers began exploiting it on July 18—before patches were released.
Why Choose ECS for Your Emergency Response
- 24/7 Incident Response: Rapid containment, forensic analysis, and remediation.
- Expert Patch Management: We’ll verify updates and validate configuration across your SharePoint farm.
- Proactive Threat Hunting: Continuous monitoring for spoofing, deserialization attempts, and web-shell indicators.
- Strategic Risk Reduction: Guidance on network segmentation, least-privilege policies, and cloud adoption.
- Comprehensive Reporting: Executive-level summaries and detailed technical findings to satisfy auditors and stakeholders.
At Expert Computer Solutions (ECS), we specialize in helping Houston businesses in healthcare, private equity, oil and gas, manufacturing and professional services industries secure their IT environments. For over 20 years, ECS has supported growth-minded organizations with managed IT services, compliance support, and proactive cybersecurity.
Ready to secure your SharePoint Server?
Contact ECS within the next 24 hours for an emergency security review and step-by-step action plan. Don’t wait until it’s too late. Protect your data, reputation, and bottom line now.
📅 Book your FREE IT Consultation now and get a tailored upgrade plan and protect your data.
Cloud Migration Roadmap
Move Your Data Into The Cloud
Ready to leave on-prem risk behind? We’ll craft a tailored plan to migrate your SharePoint workloads into Microsoft 365—phased, secure, and with zero downtime. Future-proof your collaboration today.
No strings. Just clarity and confidence.
