According to cybersecurity experts, organizations with on-premises Microsoft SharePoint Servers need to deploy emergency patches amid widespread cyberattacks that have reportedly compromised numerous companies and government agencies globally.
The ongoing cyberattack campaign (ToolShell), is exploiting a pair of vulnerabilities that impact on-premises SharePoint Servers. Microsoft has made patches available for some of the affected versions of SharePoint Server, but not all impacted versions have available patches as of this writing.
In a customer guidance advisory, Microsoft said it “is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities,” which are tracked at CVE-2025-53770 and CVE-2025-53771. The Ontinue Advanced Threat Operations (ATO) team and Qualys Threat Research Unit have each published details on this flaw, and CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog and instructed all federal civilian executive branch (FCEB) agencies to identify potentially affected systems and apply mitigations.
Industry experts recently weighed in with their thoughts on these vulnerabilities, and their possible impact.
Dana Simberkoff, Chief Risk, Privacy and Information Security Officer, AvePoint:
"This incident is a stark reminder that cybersecurity cannot be reduced to patchwork solutions. Modern software vulnerabilities are an unfortunate reality, but the real issue isn't just that flaws exist—it's how quickly organizations can detect, patch, and recover from them.
"We need to move from firefighting to proactive security posture management. Organizations can't afford to wait for vendors to patch vulnerabilities after they've been exploited—they need to implement data minimization strategies, robust lifecycle management, and continuous DSPM to identify and mitigate risks before attackers can exploit them. The fact that hackers gained access to cryptographic keys that could allow re-entry even after patching highlights why surface-level fixes aren't sufficient when the underlying security architecture lacks depth.
"Security isn't just a technical problem—it's a cultural one. Organizations impacted by this breach need to immediately minimize their attack surface by removing unused data and limiting access to sensitive content, implement zero-trust architectures that assume breach and verify every access request, and use layered defense strategies that combine native tools with third-party solutions for backup, compliance, and threat detection.
"With budget cuts reducing threat-intelligence teams by 65 percent, we're creating a perfect storm where sophisticated attacks meet diminished response capabilities."
Jason Soroko, Senior Fellow at Sectigo:
"CVE‑2025‑53770 allows an outsider to feed poisoned data into an on‑prem SharePoint server so the system ends up running the attacker’s own program. The adversary can treat the server like a remote computer they fully control. CVE‑2025‑53771 is a path traversal spoofing weakness that lets a logged in user pretend to be something they are not and sneak to files or features they should never touch.
"While the SharePoint 2016 fix is still in progress, Microsoft and CISA tell customers to cut exposure by enabling the Antimalware Scan Interface (AMSI), deploying Defender (or an equivalent endpoint tool), rotating the ASP.NET machine keys after updates, isolating or temporarily disconnecting public facing servers and watching logs for ToolPane or spinstall0.aspx requests.
"The best defense is a secure by design culture that shortens code paths, adds continuous fuzz testing and applies defense in depth so that one deserialization slip cannot hand over the keys."
Thomas Richards, Infrastructure Security Practice Director at Black Duck:
"The SharePoint Server Remote Code Execution Vulnerability allows an attacker to arbitrarily run code on a SharePoint server. This would allow the attacker to completely compromise the server, steal secrets, or use it to perform additional attacks on the network.
"Software security is a very difficult problem for organizations to solve. Large codebases which consist of legacy code increase that challenge as the original software wasn’t written with modern secure code guidance. Introducing a fix can sometimes have other implications if the original vulnerability isn’t fully resolved.
"If possible, organizations should restrict access to any externally available vulnerable SharePoint server. Security teams should also add end-point protection software to their SharePoint servers and review system logs for evidence of a compromise as documented by the researchers."
Trey Ford, Chief Information Security Officer at Bugcrowd:
"The callout to "Rotate SharePoint Server ASP.NET machine keys" indicates that attackers can (and have) used cryptographic keys to impersonate (identities, users, services) - this action is particularly important, and should not be missed.
"This is actively being exploited - threat hunters and intel teams are actively exploring scope. This is a high priority vulnerability requiring active involvement from leadership supporting simultaneous mitigation and threat hunting efforts.
"Attackers with this level of access will be set up to achieve persistence through backdoors, hunt teams will need time and support for vigilance after mitigations have been put in place. Microsoft products are highly integrated, a broader scope of hunting and post-incident remediation may be necessary.
"This is a game of cat-and-mouse, code is always evolving, and the boundless ingenuity of the research community, both altruist and malicious, is highly varied and diverse. Patches are rarely fully comprehensive, and the codebases are both complex and implementations are highly varied.
"This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously this isn't possible, so feature development must be tested across an exponentially more complicated surface area.
Mr. Mayuresh Dani, Security Research Manager, Qualys Threat Research Unit:
"The Washington Post points to attacks against U.S. federal and state agencies, universities, and energy companies, among others. Based on latest threat research data, there have been extensive attacks on a global scale due to the popularity of Microsoft SharePoint. Significant compromises across more than 50 organizations have been confirmed and there are over 8,000 publicly exposed SharePoint servers with a possibility of being actively compromised.
"Reports say that some of the flaws were fixed with the July Patch Tuesday rollout, however, hackers were able to bypass the fixes. This is because not all software is built with security in mind - especially those versions that have been in production for long.
"It is not a Microsoft mistake per-se as they must be managing billions of lines of code across numerous products, making it statistically inevitable that some vulnerabilities will make it to production. Many Microsoft products may carry technical debt from legacy design decisions that prioritized functionality over security.
"The SharePoint ToolShell vulnerabilities demonstrate how attack chains can bypass previous patches, indicating that fixing one vulnerability payload doesn't necessarily prevent related attack vectors. In fact, we should also appreciate Microsoft for acknowledging and releasing patching solutions for some versions in a matter of two days. Security should be ingrained in all processes and not depend on a single point of failure.
"Organizations should:
- Enable Antimalware Scan Interface (AMSI) integration in SharePoint with Full Mode for optimal protection.
- Deploy Microsoft Defender Antivirus on all SharePoint servers.
- Disconnect internet access for vulnerable servers. If AMSI cannot be enabled Rotate SharePoint Server ASP.NET machine keys after applying updates and restart IIS Implement zero-trust based network segmentation to limit lateral movement if compromise occurs.
- Deploy advanced endpoint detection and response (EDR) solutions, such as Microsoft Defender for Endpoint.
- Conduct regular security assessments and penetration testing of SharePoint environments.
- Monitor for indicators of compromise, particularly the creation of suspicious files like spinstall0.aspx Maintain offline backups that are regularly tested and isolated from network access.
