Critical Cybersecurity Alert: Exploits Targeting On-Premises SharePoint Servers
This past weekend, several cybersecurity agencies unveiled a series of ongoing cyberattacks that specifically target on-premises SharePoint Server environments, exploiting unaddressed vulnerabilities. Notably, the CVE-2025-53770, commonly known as ToolShell, allows unauthorized access to SharePoint servers.
Microsoft’s Response to Active Threats
Microsoft is aware of these active exploits and has confirmed that partial mitigations have been implemented in their July Security Update. Importantly, these vulnerabilities strictly impact on-premises SharePoint Server installations, and customers using SharePoint Online via Microsoft 365 remain unaffected.
Access to Security Updates
Organizations can obtain the July Security Update relevant for their systems via the following links:
- Microsoft SharePoint Server Subscription Edition – KB5002768
- Microsoft SharePoint Server 2019 – KB5002754
Recommended Mitigation Strategies
While a comprehensive hotfix is in the works, users are encouraged to adopt the following preventive measures:
- Utilize supported versions of on-premises SharePoint Server.
- Install all available security updates, focusing on the July 2025 Security Update.
- Activate and properly configure the Antimalware Scan Interface (AMSI), ensuring there’s a compatible antivirus solution in place, such as Microsoft Defender Antivirus.
- Implement Microsoft Defender for Endpoint protection or a comparable endpoint threat detection solution.
- Regularly rotate the ASP. NET machine keys for SharePoint Server.
Detection and Threat Identification
Microsoft Defender Antivirus has the capability to identify if a server has been affected by this security flaw. Affected systems can be flagged under the following detection names:
- Exploit:Script/SuspSignoutReq. A
- Trojan:Win32/HijackSharePointServer. A
Research Findings and Urgent Call to Action
“Our analysis involved scanning over 8, 000 SharePoint servers globally, uncovering several instances of active compromises, notably around July 18th at 18:00 UTC and July 19th at 07:30 UTC, ”stated the cybersecurity research firm, Eye.
Given the critical nature of this vulnerability, it is imperative for all administrators of on-premises SharePoint to implement the latest security updates and adhere strictly to the recommended mitigation strategies without delay.
Leave a Reply