What is the name of the zero-day exploit targeting Microsoft's SharePoint software?

The zero-day exploit is known as CVE-2025-53770.

Which versions of SharePoint are affected by the vulnerability?

The vulnerability affects only on-premises SharePoint Server customers. SharePoint Online and Microsoft 365 are unaffected.

What is ToolShell, and how does it impact compromised servers?

ToolShell is a backdoor that provides unauthenticated, remote access to systems. It allows attackers to fully access SharePoint content, including file systems and internal configurations.

What was the July 8, 2025 security update from Microsoft partially addressing?

The July 8, 2025 security update partially addressed CVE-2025-49706.

Which organizations have been targeted by the active attacks using this exploit?

U.S. federal and state agencies, universities, and energy companies have been breached by hackers using this exploit.

Zero-Day Exploit Targets Microsoft's SharePoint: CVE-2025-53770

Hackers exploiting a new vulnerability, CVE-2025-53770, to breach U.S. agencies, universities, and energy companies using on-premises SharePoint Server. Microsoft issues emergency update.

A zero-day exploit targeting Microsoft's SharePoint software has been actively exploited by hackers to breach U.S. federal and state agencies, universities, and energy companies. The vulnerability, known as CVE-2025-53770, was discovered in on-premises SharePoint Server customers and is being used to compromise vulnerable organizations worldwide.

Microsoft issued an emergency security update for the vulnerability on July 20, 2025, amid reports of widespread attacks. The company's advisory notes that the weakness applies only to SharePoint Servers used in-house, with SharePoint Online and Microsoft 365 unaffected.

What Happened

The zero-day exploit was first spotted by researchers at Eye Security on July 18, 2025, who found dozens of separate servers compromised by the bug and infected with a backdoor dubbed "ToolShell." ToolShell provides unauthenticated, remote access to systems, allowing attackers to fully access SharePoint content, including file systems and internal configurations. The attacks also sought to steal SharePoint server ASP.NET machine keys, which can be used to facilitate further attacks even at a later date.

According to the Cybersecurity & Infrastructure Security Agency (CISA), the exploit is a variant of the existing vulnerability CVE-2025-49706, which was partially addressed by Microsoft's July 8, 2025 security update. CISA warns that attackers are retrofitting compromised servers with ToolShell, enabling them to execute code over the network and access sensitive information.

Background and Context

SharePoint is a widely-used software platform for internal document management, data organization, and collaboration. Companies and government agencies around the world rely on SharePoint for sharing and managing documents, making it a prime target for hackers. The vulnerability in question affects only on-premises SharePoint Server customers, with SharePoint Online and Microsoft 365 unaffected.

Microsoft's advisory notes that the company is aware of active attacks targeting on-premises SharePoint Server customers and is working to patch the issue. However, the company has not yet released updates for supported versions of SharePoint 2019 and SharePoint 2016, leaving these organizations vulnerable to attack.

Why it Matters to the Industry

The zero-day exploit targeting SharePoint highlights the importance of robust cybersecurity measures in the adult industry. Adult platforms and operators rely on software solutions like SharePoint for document management, data organization, and collaboration. A vulnerability in such a widely-used platform can have far-reaching consequences, compromising sensitive information and disrupting business operations.

Furthermore, the use of ToolShell as a backdoor by attackers raises concerns about the potential for unauthorized access to sensitive systems and data. The exploit's ability to bypass future patching also underscores the need for proactive cybersecurity measures, including regular updates, backups, and monitoring.

What Comes Next

Microsoft has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016. CISA advises vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, deploy Microsoft Defender AV on all SharePoint servers, and disconnect affected products from the public-facing Internet until an official patch is available.

Researchers at Eye Security warn that patching alone is not enough and advise defenders not to wait for a vendor fix before taking action. The threat is already operational and spreading rapidly, emphasizing the need for immediate attention and proactive measures to mitigate its impact.

Key Facts

The zero-day exploit targets Microsoft's SharePoint software, specifically on-premises SharePoint Server customers.
The vulnerability, known as CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706.
Attackers are using ToolShell as a backdoor to access sensitive systems and data.
Microsoft has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but not yet for supported versions of SharePoint 2019 and SharePoint 2016.
CISA advises vulnerable organizations to enable AMSI in SharePoint, deploy Microsoft Defender AV on all SharePoint servers, and disconnect affected products from the public-facing Internet until an official patch is available.