Microsoft has released an emergency security patch for a serious vulnerability in its SharePoint Server software. This flaw, tracked as CVE‑2025‑53770, is already being actively used by hackers to launch cyberattacks. The vulnerability allows attackers to run malicious code remotely, which could give them full access to affected systems.

The issue affects on-premises versions of Microsoft SharePoint, especially SharePoint Server 2019 and SharePoint Subscription Edition. Microsoft has released urgent patches for both of these versions. However, SharePoint 2016 users are still waiting for a fix, which is currently under development.

What makes this flaw so dangerous is that it’s being used in real-world attacks right now. Microsoft confirmed that at least 54 organizations have already been targeted. This includes banks, energy companies, government departments, and even universities. Other researchers estimate that over 75 SharePoint servers have been compromised so far.

The attacks appear to have started around July 18, 2025. Hackers are using a technique known as ToolShell, which chains together multiple previous vulnerabilities. These were first demonstrated earlier this year during the Pwn2Own hacking competition. The method allows attackers to bypass authentication and gain full control of a SharePoint server.

Once inside the system, attackers are installing persistent backdoors, stealing sensitive files, and even copying cryptographic keys. These keys could allow them to impersonate users or services, making it difficult to detect or stop the attack. The intruders can remain hidden even after a system is patched unless additional steps are taken.

Microsoft and other cybersecurity experts are urging all organizations using SharePoint on-prem to take immediate action. Simply applying the patch may not be enough if your system has already been breached. Attackers might still have access using stolen keys or undetected backdoors.

 

To fully secure systems, Microsoft has recommended several steps. First, install the emergency updates without delay. Then, rotate your ASP.NET machine keys, restart IIS (Internet Information Services), and enable both Microsoft Defender Antivirus and Antimalware Scan Interface (AMSI). Disconnect any publicly exposed SharePoint servers from the internet until they’re fully cleaned and patched.

This situation is being taken very seriously. The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, are now investigating these attacks. They’re working closely with Microsoft and affected organizations to reduce further damage and contain the spread. CISA has already published a security advisory and is urging immediate mitigation.

Experts believe that thousands of organizations could still be vulnerable if they haven’t applied the patch or checked for signs of compromise. What makes this flaw especially tricky is that even after patching, a compromised server could still be under attacker control unless machine keys are rotated and the system is properly cleaned.

This is one of the most serious SharePoint vulnerabilities in recent years because it’s not just theoretical. It’s being actively exploited in the wild and is affecting real businesses and government systems. Attackers don’t need credentials or inside access, they can break in directly from the outside if the server is exposed.

If your organization uses SharePoint Server, especially 2019 or Subscription Edition, you need to act now. Patch the system, rotate keys, check logs, and assume compromise if you’ve had an exposed instance online in recent days. If you’re on SharePoint 2016, monitor Microsoft’s updates closely and prepare for the patch release.

This is a fast-moving threat, and even though Microsoft responded quickly, the attackers were already one step ahead. Staying updated, following Microsoft’s guidance, and taking immediate security steps are the only way to prevent serious damage from this exploit. Don’t wait, secure your systems today.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news