REDMOND, July 21, 2025 – Microsoft has confirmed a massive global cyberattack targeting its SharePoint server software, a critical platform used by government agencies, businesses, and universities for document sharing and collaboration.
The attack, exploiting a zero-day vulnerability tracked as CVE-2025-53770, has compromised at least 85 servers across 54 organizations, including U.S. federal and state agencies, energy companies, and European government entities.
With no patch available for older SharePoint versions, tens of thousands of on-premises servers remain at risk, prompting urgent warnings from Microsoft, the FBI, and cybersecurity experts. The breach, dubbed “ToolShell,” highlights ongoing challenges in securing enterprise software amid escalating cyber threats.
The Zero-Day Threat: CVE-2025-53770
The attack exploits a critical vulnerability in on-premises SharePoint servers, identified as CVE-2025-53770, with a CVSS score of 9.8, indicating severe risk. This flaw allows unauthenticated attackers to execute remote code by deserializing untrusted data, enabling them to install malicious web shells and steal cryptographic keys.
These keys, including ValidationKey and DecryptionKey, allow hackers to craft forged __VIEWSTATE payloads, granting persistent access even after patches are applied. The vulnerability is a variant of CVE-2025-49706, which Microsoft patched in its July 2025 Update Tuesday, but attackers quickly adapted, exploiting a new flaw to bypass the fix.
Microsoft emphasized that SharePoint Online, part of Microsoft 365, is unaffected, as the vulnerability targets only on-premises servers. The attack, first identified by Dutch cybersecurity firm Eye Security on July 18, 2025, has been linked to malicious activities involving the upload of a file named “spinstall0.aspx” via PowerShell, which extracts critical server configurations. Eye Security reported that at least 54 organizations, including banks, universities, and government agencies, have been compromised, with the number likely higher due to undetected breaches.
Scope and Impact of the Attack
The breach has had a far-reaching impact, affecting a diverse range of organizations. According to The Washington Post, U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm are among the victims. In one eastern U.S. state, attackers hijacked a public document repository, locking out officials and preventing access to critical government materials. Eye Security and Palo Alto Networks’ Unit 42 have tracked over 50 breaches, with some estimates suggesting tens of thousands of servers are vulnerable globally.
The attack’s severity stems from its ability to bypass identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), allowing attackers to gain privileged access. Once inside, hackers can exfiltrate sensitive data, deploy persistent backdoors, and move laterally across networks, potentially compromising connected services like Outlook, Teams, and OneDrive. Michael Sikorski, CTO of Unit 42 at Palo Alto Networks, warned, “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply fixes by July 21, 2025. CISA, along with authorities in Canada and Australia, is actively investigating the breach, with the FBI coordinating with private-sector partners. The Center for Internet Security notified approximately 100 organizations, including public schools and universities, of potential vulnerabilities, though response efforts were hampered by a 65% cut in CISA’s threat-intelligence teams.
Microsoft’s Response and Mitigation Efforts
Microsoft issued an urgent alert on July 19, 2025, acknowledging the active exploitation of CVE-2025-53770 and a related spoofing flaw, CVE-2025-53771. On July 20, the company released emergency patches for SharePoint Subscription Edition and SharePoint 2019, with updates for SharePoint 2016 still in development.
Customers are urged to apply these patches immediately and rotate ASP.NET machine keys to invalidate stolen cryptographic secrets. Microsoft also recommended enabling Antimalware Scan Interface (AMSI) integration, enabled by default in September 2023 updates for SharePoint 2016/2019 and Version 23H2 for Subscription Edition, and deploying Microsoft Defender for Endpoint to detect post-exploit activity.
For organizations unable to apply patches or enable AMSI, Microsoft advises disconnecting SharePoint servers from the internet until updates are available. The company also provided indicators of compromise (IoCs), including monitoring for POST requests to “/_layouts/15/ToolPane.aspx” with a referer of “/_layouts/SignOut.aspx” and checking for the malicious file “spinstall0.aspx” (SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514).
Origins of the Vulnerability
The attack leverages a vulnerability chain first demonstrated by Viettel Cyber Security at the Pwn2Own Berlin contest in May 2025, dubbed “ToolShell.” The original flaws, CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (code injection), were patched in July, but public disclosure of exploit details by researchers, including CODE WHITE GmbH and Soroush Dalili, enabled attackers to develop a new exploit. Eye Security noted that the rapid weaponization of the zero-day followed these disclosures, highlighting the risks of sharing technical details before patches are widely applied.
Industry and Public Reactions
The cybersecurity community has reacted with alarm, with posts on X reflecting urgency and concern. @Osint613 reported breaches across U.S. agencies and energy companies, while @leviathan_news highlighted CISA’s warning about the attack’s global reach. @happygeek emphasized the lack of a patch for older versions, urging organizations to disconnect servers. Experts like Charles Carmakal of Mandiant Consulting stressed the need for immediate threat hunting, noting that patching alone is insufficient due to stolen cryptographic keys.
Public sentiment on X, as seen in posts like @notreload_ai, underscores the attack’s potential for data theft and password harvesting, amplifying fears about its impact on critical infrastructure. The incident has also reignited criticism of Microsoft’s security practices, following previous breaches like the 2023 Chinese hack of federal email systems and a 2024 HealthEquity attack that exposed 4.3 million users’ data.
Challenges and Controversies
The attack poses several challenges:
- Lack of a Comprehensive Patch: While patches for SharePoint Subscription Edition and 2019 are available, SharePoint 2016 remains vulnerable, leaving many organizations exposed.
- Persistent Access: Stolen cryptographic keys allow attackers to maintain access even after patching, necessitating key rotation and extensive incident response.
- Delayed Response: CISA’s reduced funding and staffing slowed notifications, with the Center for Internet Security taking six hours to warn 100 organizations.
- Attribution Uncertainty: The attackers’ identity and motives remain unclear, with targets spanning the U.S., Europe, Asia, and China, complicating investigations.
Critics argue that Microsoft’s reactive approach—patching one flaw only for attackers to exploit a variant—reflects a pattern of narrowly focused fixes. A 2024 U.S. government panel previously criticized Microsoft for security lapses, and this incident adds to concerns about its ability to secure widely used software.
Future Outlook
The SharePoint attack underscores the growing sophistication of cyber threats and the challenges of securing on-premises infrastructure. Organizations must prioritize immediate mitigation, including applying patches, enabling AMSI, and rotating machine keys, while also conducting threat hunting to detect compromises. The incident highlights the need for robust endpoint visibility and proactive cybersecurity measures, as SharePoint’s integration with services like Teams and Outlook amplifies the risk of network-wide breaches.
Microsoft’s ongoing efforts to develop patches for older SharePoint versions and its coordination with CISA, the FBI, and global partners signal a commitment to addressing the crisis. However, the attack’s scale and the lack of immediate fixes for all versions underscore the urgency of modernizing legacy systems and adopting cloud-based solutions like SharePoint Online, which remain unaffected. As cyberattacks become a key tool in geopolitical and criminal strategies, this breach serves as a wake-up call for organizations to strengthen their defenses and for Microsoft to enhance its security development lifecycle.
Conclusion
The global SharePoint attack exploiting CVE-2025-53770 represents a critical cybersecurity crisis, compromising sensitive systems across governments, businesses, and universities. Microsoft’s emergency patches and mitigation guidance offer a path forward, but the absence of fixes for older versions and the persistence of stolen cryptographic keys pose ongoing risks.
As investigations continue and organizations scramble to secure their servers, this incident highlights the fragility of on-premises infrastructure and the need for rapid, coordinated responses to zero-day threats. The tech world now watches closely to see how Microsoft and its customers navigate this escalating cyber storm.
