ToolShell Threat Brief: SharePoint RCE Vulnerabilities (CVE-2025-53770 & 53771) Explained

New SharePoint vulnerabilities overview

A serious new vulnerability (CVE-2025-53770, also known as “ToolShell”) is actively being exploited by cybercriminals to hack into on-premises Microsoft SharePoint Servers. The vulnerability, along with CVE-2025-53771 was discovered around July 18, 2025. Bitsight Research classifies CVE-2025-53770 as 10 out of 10 on our Dynamic Vulnerability Exploit (DVE) scale and CVE-2025-53771 as a 5.82 out of 10 indicating severe and moderate urgency respectively. CVE-2025-53771 is considered a variant of the “ToolShell” zero-day vulnerability (CVE-2025-53770) and classified as a Server Spoofing Vulnerability.

CVE-2025-53770

CVE-2025-53770 is especially dangerous because it allows for remote code execution (RCE) — meaning attackers can run any command or program on the vulnerable server without logging in. That gives them full control over the system, including the ability to access files, change configurations, and move laterally throughout the network. This gives attackers dangerous access to critical information.

The vulnerabilities take advantage of how SharePoint handles certain types of data, and can be launched remotely just by sending a specially crafted web request. Because it doesn’t require any login, the risk is extremely high — especially for organizations that haven’t applied updates.

CVE-2025-53771 variant

Importantly, CVE-2025-53771 also allows for unauthenticated RCE, enabling attackers to fully compromise affected systems by sending crafted web requests. Both CVEs are technically related to earlier SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706, which reflect a broader pattern of escalating threats targeting on-premises SharePoint environments. Security Researchers have observed cyber threat actors actively chain-exploiting both CVEs (CVE-2025-53771 and CVE-2025-53770) to bypass previous patches. So far, attackers have been observed deploying web shells, stolen cryptographic MachineKey secrets, bypassing multi-factor authentication, and gaining persistent access.

On July 20, 2025, CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) list, requiring federal agencies to fix it immediately upon patch release. Microsoft has released emergency security updates to fix both CVEs for SharePoint Server Subscription Edition and SharePoint 2019. These updates close the vulnerability that attackers are actively using to break into systems and take control of SharePoint environments. These patches are enhanced versions of the previous patches for CVE-2025-49704 and CVE-2025-49706.

Microsoft has released emergency patches for all supported on-premises versions of SharePoint — including SharePoint Server 2016, 2019, and Subscription Edition — to address the actively exploited vulnerabilities CVE‑2025‑53770 and 53771. These patches close critical remote code execution and path traversal flaws linked to the “ToolShell” exploit chain. Organizations are strongly urged to apply these updates immediately and follow Microsoft’s post-patch guidance, including rotating machine keys and enabling AMSI integration with Defender Antivirus to prevent further exploitation.

SharePoint Online in Microsoft 365 is not impacted by the zero-day.

Compromises associated with CVE-2025-53770 and CVE-2025-53771 have affected an estimated 75-85+ servers globally. The impacted sectors are reported to be Education, Finance, Government, Healthcare, Energy, Telecom, and Enterprise Environments. There are an estimated 9,000 services at risk globally.

What to do now: 

Apply the applicable updates immediately:

• Subscription Edition → KB 5002768
• SharePoint 2019 → KB 5002754
• SharePoint 2016 → KB 5002760

Mitigation recommendations:

• Enabling AMSI + Microsoft Defender AV
• Rotating MachineKey after patching
• Scanning for webshell indicators like spinstall0.aspx
• Enhanced logging and lateral-movement monitoring