“ToolShell” Zero-Day Exploits Slam On-Prem SharePoint: CISA, Microsoft Sound the Alarm

In yet another wake-up call for organizations clinging to legacy on-prem systems, federal cybersecurity watchdogs and top threat analysts are warning that a new pair of remote code execution (RCE) exploits—actively used in the wild—are compromising Microsoft SharePoint servers at scale.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog this weekend after uncovering live exploitation activity tied to the attack chain known as “ToolShell.” A second, related CVE—2025-53771—has also surfaced, forming a variant pair that bypasses previous patches and is being leveraged to hijack SharePoint servers without authentication or user interaction.

Full Access, No Credentials Needed

The attack begins with a simple POST request to a vulnerable endpoint. From there, attackers upload a malicious webshell, spinstall0.aspx, which they use to harvest machine-specific cryptographic keys—essentially the server’s master passwords. With those in hand, they can forge trusted payloads, execute arbitrary code, and move laterally across networks with impunity.

“This isn’t theoretical, it is operational,” warned Lorri Janssen-Anessi, Director of External Cyber Assessments at BlueVoyant. “These vulnerabilities are already being actively used in the wild, with confirmed compromises across government, education, and healthcare sectors.”

Both CVEs are variants of older flaws, CVE-2025-49704 and CVE-2025-49706, which Microsoft addressed earlier this month. But attackers have already reverse-engineered those patches, chaining together new weaknesses that reopen the door—this time with even less friction.

No Time to Wait

CISA is urging immediate action to prevent further fallout, recommending that organizations disconnect internet-exposed SharePoint servers until they're either patched or proven clean. Microsoft has released emergency patches for some versions:

• SharePoint Server Subscription Edition: KB5002768

• SharePoint Server 2019: KB5002754

• SharePoint Server 2016: Patch in progress; mitigations only for now

For unpatched or unpatchable systems, Microsoft and CISA recommend enabling the Antimalware Scan Interface (AMSI), isolating affected servers, rotating ASP.NET machine keys, and scanning for connections to known malicious IP addresses such as 107.191.58[.]76 and 104.238.159[.]149.

Assume Breach, Then Verify

SecurityScorecard CISO Steve Cobb didn’t mince words: “This is a critical zero-day issue, meaning the vendor, Microsoft, had ‘zero days’ to fix it before attackers started using it. If your on-premises SharePoint instance was internet-exposed, assume it’s compromised until proven otherwise.”

Cobb recommends not just patching but also implementing full incident response protocols, validating backup integrity, and verifying that any restored systems weren’t infected pre-exfiltration.

He added: “This must be treated as a potential enterprise-wide compromise vector. Organizations should actively monitor their SharePoint environments for indicators of compromise and suspicious activity. Staying current with CISA alerts and Microsoft's official guidance is crucial.”

Trust is the New Vulnerability

At the heart of the exploit chain lies a broken assumption: that authenticated access equals trustworthy behavior. But this incident, according to Rik Ferguson, VP of Security Intelligence at Forescout, underscores why that assumption is outdated.

“CVE-2025-53770 is more than just another SharePoint flaw. It is a case study in what happens when legacy trust models meet modern threat actors,” Ferguson said. “Zero Trust is not a buzzword. It is a necessity.”

He stressed the need for modern segmentation strategies and real-time behavioral monitoring—not just for perimeter defense, but to contain inevitable breaches and limit their blast radius.

The Bottom Line

With confirmed attacks already disrupting major sectors and the exploit chain trivial to reproduce, organizations still relying on on-prem SharePoint must act as though the breach has already happened.

This isn’t just a patch-it-and-move-on moment. It’s a red siren for enterprises to reevaluate legacy infrastructure and security assumptions in the face of increasingly agile and persistent adversaries.

As CISA continues to update its guidance and Microsoft races to plug the remaining holes, one truth is clear: The days of trusting your own servers just because they’re “inside the firewall” are over.