Microsoft's Latest SharePoint Flaw Exposed: A Comprehensive Guide
In a recent development, a critical remote code execution (RCE) vulnerability, known as CVE-2025-53770 or 'ToolShell', has been discovered in on-premises Microsoft SharePoint servers. This flaw allows malicious actors to gain unauthorized access to organizations' infrastructure, posing an unprecedented risk due to an attacker's ability to bypass authentication and identity controls such as multi-factor authentication (MFA), according to Martin Riley, CTO at cybersecurity firm Bridewell.
To mitigate this vulnerability, CISA and Microsoft have issued a series of recommendations. The most critical steps include:
1. **Apply the latest security updates immediately**: Microsoft released security patches in July 2025 for SharePoint Server 2016, 2019, and the SharePoint Subscription Edition. Organizations are advised to apply these updates as soon as possible.
2. **Enable and correctly configure Antimalware Scan Interface (AMSI) integration**: AMSI helps detect and block exploitation attempts. Ensure AMSI is turned on and set to Full Mode in SharePoint.
3. **Deploy Microsoft Defender Antivirus on all SharePoint servers**: Running Microsoft Defender AV will enhance detection and prevention of attacks exploiting this vulnerability.
4. **If AMSI cannot be enabled or patches cannot be immediately applied, disconnect internet-facing SharePoint servers**: Removing public exposure reduces risk until mitigations are in place.
5. **Monitor and follow additional detection and threat hunting guidance from Microsoft and CISA**: Microsoft provides advisories and detection guidance related to CVE-2025-53770 and related vulnerabilities in the ToolShell exploit chain.
6. **Follow CISA directive**: CVE-2025-53770 is listed in the CISA Known Exploited Vulnerabilities catalog, with a mandatory patching deadline of July 21, 2025, for federal agencies, emphasizing the critical nature of prompt mitigation.
In addition to these measures, CISA advises scanning for specific IP addresses, particularly between July 18-19, 2025, and updating intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior.
Microsoft also advises organizations to rotate SharePoint Server ASP.NET machine keys, use supported versions of on-premises SharePoint Server, and deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions. SharePoint Online in Microsoft 365 is not affected by this vulnerability.
Given the severity of this vulnerability, Martin Riley urges leaders to prioritize mitigations immediately, even if this impacts productivity. The cost of inaction is far greater than the inconvenience of temporary restrictions.
In response to this situation, Keeper Security is offering a 30% discount on its Business Starter and Business plans to help organizations strengthen their security measures.
Organizations are strongly encouraged to follow these recommendations to reduce the risk of unauthorized remote code execution and persistent compromise associated with ToolShell exploitation.
- To ensure cybersecurity in data-and-cloud-computing environments, it's essential for organizations to deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions, as advised by Microsoft to guard against exploitation of the ToolShell vulnerability.
- With the ToolShell vulnerability exposing infrastructure to cyber threats, prioritizing prompt implementation of technology-based security measures, such as endpoint protection, becomes vital to prevent unauthorized remote code execution and persistently compromising on-premises Microsoft SharePoint servers.
- In times of critical vulnerabilities like the one posed by CVE-2025-53770 (ToolShell), technology-driven solutions like intrusion prevention systems and web-application firewalls play a pivotal role in blocking exploit patterns and anomalous behavior, offering an additional layer of endpoint protection.
