Key Takeaways
1. Microsoft issued an urgent security update for SharePoint to fix severe vulnerabilities “CVE-2025-53770” and “CVE-2025-53771” related to ToolShell attacks.
2. No updates are currently available for SharePoint 2016, but Microsoft is working on a solution; administrators should apply specific updates for SharePoint 2019 and Subscription Edition.
3. The vulnerabilities allow remote code execution on servers without authentication, with “CVE-2025-53770” scoring 9.8 on the CVSS v3 scale and currently being exploited.
4. Attackers are targeting internet-connected SharePoint servers, with links to ransomware groups “Silk Typhoon” and “Storm-0506.”
5. Recommendations include enabling Antimalware Scan Interface (AMSI) and Microsoft Defender AV on SharePoint servers, or disconnecting affected servers from the network if AMSI cannot be activated.
Microsoft has issued an urgent security update to address the “ToolShell” attacks impacting services globally. The updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 resolve two severe security vulnerabilities labeled as “CVE-2025-53770” and “CVE-2025-53771”.
SharePoint 2016 Status
At this moment, there are no updates available for SharePoint 2016; however, Microsoft has stated that they are actively working on this issue. The company has suggested that administrators apply the “KB5002754 update” for SharePoint 2019 and the “KB5002768 update” for SharePoint Subscription Edition.
Vulnerabilities and Exploits
These security issues allow the remote execution of arbitrary code on servers without any form of authentication. The “CVE-2025-53770” vulnerability carries a CVSS v3 score of 9.8 and is currently being exploited in real-world situations.
The attackers focus on internet-connected SharePoint servers, with at least two incidents linked to the ransomware groups “Silk Typhoon” and “Storm-0506”, which are recognized for targeting enterprise-level servers.
Impact and Recommendations
This vulnerability permits attackers to steal access keys and impersonate users, even after a server is restarted or patched. So far, the cloud versions of SharePoint appear not to be affected by these attacks.
Security analysts at Eye Security first identified these vulnerabilities on July 18th. The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recommendation to activate Antimalware Scan Interface (AMSI) and Microsoft Defender AV on all SharePoint servers.
If enabling AMSI is not possible, they recommend disconnecting the affected servers from the network immediately until a resolution is found.
Source:
Link
Leave a Reply