Microsoft Patches Actively Exploited SharePoint Zero-Day Flaws
Microsoft 365 has issued urgent updates for on-premises SharePoint Servers, addressing two zero-day flaws actively exploited by attackers since mid-July. The vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, have been used in attacks dubbed 'ToolShell'.
The first vulnerability, CVE-2025-53770, is a variant of a spoofing flaw patched in July's Patch Tuesday updates. Security experts have confirmed hackers are exploiting this flaw, which allows unauthorized code execution over a network. Microsoft recommends enabling AMSI integration and deploying Microsoft Defender across all SharePoint Server farms to mitigate this risk.
Attackers are exploiting the SharePoint flaw to run commands pre-authentication by abusing object deserialization. They use stolen machine keys to persist and move laterally within systems. Both vulnerabilities only impact on-premises SharePoint Servers and can be chained for unauthenticated, remote code execution.
The second flaw, CVE-2025-53771, is a SharePoint spoofing flaw caused by improper path restrictions. This can be chained with CVE-2025-53770 for remote code execution.
Microsoft 365 has patched the exploited SharePoint flaw CVE-2025-53770 and warned of ongoing attacks on on-premises servers. Users are urged to apply the emergency updates and follow Microsoft's recommendations to protect against these zero-day vulnerabilities.
