Sunday, July 20, Microsoft corp. An emergency safety update for a vulnerability in Sharepoint server Weak organizations are being actively exploited to compromise. The patch report comes that malicious hackers have used Sharepoint defects to dissolve American federal and state agencies, universities and energy companies.
Picture: By Shuttersk, Escanio.
In a consultant Sharepoint security holes, about aka Cve-2025-53770Microsoft stated that it is aware of active attacks, which is known about the weakens that are targeted and exploited weaknesses to SharePoint server customers who were partially addressed by 8 July, 2025 security updates.
Cyber security and infrastructure security agency (CISA) AgreedSaying that CVE-2025-53770 is a version on Microsoft Patch earlier this month (Cve-2025-49706)Microsoft notes weakness applies only to Sharepoint server that organizations use in-houses, and that Sharepoint online and microsoft 365 are not affected.
Washington Post Informed The US government and partner in Canada and Australia on Sunday are checking the hack of the Sharepoint server, providing a platform to share and manage the documents. In The Post report, at least two American federal agencies have seen their servers through SharePoint vulnerability.
According to CISA, the attackers who exploit the newly-fed defects are retrofitting the compromised server with a back door “Toolshell“It provides informal, remote access to the system. CISA stated that the toolshell enables the attackers to fully reach the Sharepoint material – including the file system and internal configuration – and execute the code on the network.
Researcher on eye protection He said that he first exploited large-scale Sharepoint Flaw on July 18, 2025, and soon found dozens of different servers compromised by bug and infected with toolshell. In A blog postResearchers said the attacks demanded to steal the Sharepoint server asp.net machine.
“These keys can be used to facilitate further attacks, even at the later date,” eye safety warned. “It is important that the affected server sharepoint server rotate the asp.net machine and restart II on all Sharepoint Server. Patching is not enough alone. We strongly advise defenders to advice guards not to wait for a seller fix before taking action. This danger is already on and spreading rapidly.”
Microsoft advisor says the company has released updates Sharepoint server membership version And Sharepoint Server 2019But it is still working on updates for supported versions Sharepoint 2019 And Sharepoint 2016,
CISA advises weak organizations to enable the anti-mailware scan interface (AMSI) in Sharepoint, to deploy Microsoft defender AV on all Sharepoint servers, and to disconnect the products affected by public-affected Internet until an official patches are available.
Safety firm Rapid7 Note Microsoft has described the CVE-2025-53770 related to the previous vulnerability- Cve-2025-49704It was patched earlier this month-and that the CVE-2025–49704 was part of an exploitation series. Pwn2own Hacking competition in May 2025. That exploitation chain called for a second Sharepoint weakness – Cve-2025-49706 – Joe Microsoft unsuccessfully tried to fix this month’s patch on Tuesday.
Microsoft has also released a patch for the respective Sharepoint vulnerability – Cve-2025-53771Microsoft states that there are no indications of active attacks on CVE-2025-53771, and that the patch is to provide stronger protection than updates for CVE-2025-49706.
This is a fast developing story. Any update will be noted with a timstamp.
