A critical zero-day vulnerability in Microsoft SharePoint—identified as CVE-2025-53770—has become the focal point of a series of escalating cyberattacks impacting sectors ranging from government to energy. Labeled “ToolShell” in some reporting, the flaw permits unauthenticated remote code execution on vulnerable SharePoint servers, allowing attackers to exfiltrate data, deploy persistent access mechanisms, and even distribute ransomware. Security teams responsible for on-premises SharePoint environments must act swiftly, as exploitation is widespread and growing more destructive.
CVE-2025-53770 Enables Full System Compromise via Spoofed Referer Headers
CVE-2025-53770 affects Microsoft SharePoint Server Subscription Edition, SharePoint 2019, and SharePoint 2016. SharePoint Online is not vulnerable. The vulnerability allows unauthenticated attackers to upload arbitrary files—including web shells—by spoofing the HTTP Referer header.
According to the SANS Institute, attackers are exploiting this flaw to gain initial access and then stealing .NET machine keys to maintain long-term persistence. This enables threat actors to bypass security measures like multi-factor authentication (MFA) and re-enter systems even after patches are applied.
Microsoft warns that CVE-2025-53770 carries a critical severity rating and must be addressed immediately to prevent full system compromise.
Attack Unfolds After Pwn2Own Demonstration and Referer Bypass Discovery
While the exploit chain was initially demonstrated at the Pwn2Own security competition by Code White GmbH, active exploitation began shortly after a researcher disclosed the Referer header-based bypass:
- July 17, 2025 : Researcher publicly describes bypass technique.
- July 18–19 : Cybersecurity firm Eye Security confirms active exploitation in the wild.
- July 20–21 : Microsoft issues advisory, and CISA releases alerts.
- Post July 21 : Mass exploitation affects hundreds of organizations worldwide.
This rapid weaponization reflects a now-common trend where vulnerabilities disclosed in controlled environments are quickly adapted for real-world use by both criminal and nation-state actors.
Nation-State and Criminal Threat Actors Launch Coordinated ToolShell Campaigns
Two separate classes of threat actors have been linked to the ongoing exploitation of this SharePoint zero-day. Microsoft attributes initial attacks to Chinese APTs (Advanced Persistent Threats) Linen Typhoon and Violet Typhoon. These groups are focused on espionage and long-term surveillance and have targeted on-premises SharePoint deployments in government and critical infrastructure.
By contrast, security vendor reports also identify “Storm-2603” as responsible for launching widespread Warlock ransomware campaigns. According to TechRadar, this group leveraged the same vulnerability for access, then pivoted to ransomware, expanding the threat from espionage to financial extortion.
High-Profile Targets Include U.S. and Canadian Government Agencies
Among the confirmed victims are:
- The U.S. Department of Energy and its semiautonomous National Nuclear Security Administration (NNSA).
- The U.S. National Institutes of Health (NIH).
- Canada’s House of Commons, where attackers allegedly accessed a database containing staff identities, emails, and device records.
While initial signs point to espionage rather than destruction, the transition to ransomware suggests a dual-use model where access is first leveraged for intelligence and later monetized.
The Bitsight Dynamic Vulnerability Exploit scale gave CVE-2025-53770 a maximum rating of 10, emphasizing the urgency of immediate mitigation.
Microsoft and Security Experts Urge Coordinated Response for Vulnerability Mitigation
Microsoft has released out-of-band security patches for both CVE-2025-53770 and a related variant, CVE-2025-53771. Organizations running on-premises SharePoint Server 2016, 2019, or the Subscription Edition must install these updates as an urgent priority. SharePoint Online remains unaffected.
Microsoft and independent researchers recommend the following additional steps to harden SharePoint environments:
- Enable Antimalware Scan Interface (AMSI) : AMSI integration helps detect unauthorized file uploads. It should be configured in Full Mode and used with Microsoft Defender Antivirus.
- Rotate .NET Machine Keys : After patching, rotate machine keys to invalidate those stolen by attackers. This helps prevent re-entry.
- Isolate Unpatched Servers : If patching is not immediately feasible, affected servers must be taken offline or access-limited to prevent exploitation.
- Conduct Endpoint Detection Scans : Use endpoint detection and response (EDR) tools to identify potential post-exploitation activity or unauthorized persistence mechanisms such as web shells or scheduled tasks.
- Reset Credentials and Audit Logs : Change passwords for SharePoint service accounts and look for anomalous access patterns that may indicate compromise.
- Harden Network Perimeter : Adopt Zero Trust Network Access (ZTNA), restrict outbound traffic, and secure access via VPNs or application gateways.
- Ensure Backup and Logging Integrity : Confirm that recent, clean backups are available and that event and audit logs are retained for analysis.
Immediate Response Should Be Based on the Assumption of Compromise
Security experts recommend that any organization running an affected version of SharePoint treat this as an assumed compromise scenario. The speed and scale of the exploitation—over 400 known victims already, per Eye Security—make this an urgent operational crisis. Some estimates suggest that up to 9,000 unpatched SharePoint services remain publicly exposed.
Given that attackers can bypass MFA, maintain persistence through stolen keys, and escalate access rapidly, time is a critical factor. The cyberattacks triggered by CVE-2025-53770 highlight the elevated risks posed by unpatched legacy systems reliant on traditional network perimeters.
The shift from espionage to ransomware marks a dangerous escalation. Immediate, comprehensive remediation is required to protect both data integrity and business continuity.
CVE-2025-53770 is more than just another Microsoft SharePoint vulnerability. It is a systemic risk to any organization relying on on-premises collaboration infrastructure without carefully maintained patch hygiene and internal segmentation. With the ToolShell campaign rapidly evolving, security teams must view patching, detection, and threat hunting as simultaneous components of a unified incident response.
