New Microsoft SharePoint exploit patched in emergency security update

Microsoft has released an emergency security patch that curtails the "ToolShell" attacks affecting services worldwide. The patches for Microsoft SharePoint Subscription Edition and SharePoint 2019 fix two critical security flaws identified as "CVE-2025-53770" and "CVE-2025-53771". 

Currently, there are no patches available for SharePoint 2016, but Microsoft has indicated that they are working on it. The company has recommended that admins install the "KB5002754 update" for SharePoint 2019 and the "KB5002768 update" for SharePoint Subscription Edition.

These vulnerabilities enable the remote execution of arbitrary code on servers without requiring any authentication. The "CVE-2025-53770" exploit has a CVSS v3 score of 9.8 and is actively being exploited in the wild. 

The attackers target internet-enabled SharePoint servers, and at least two of these attacks have ties to the ransomware groups "Silk Typhoon" and "Storm-0506", both of which are known to target enterprise servers. 

The flaw allows attackers to steal keys and impersonate users, even if the server is restarted or patched. So far, cloud versions of SharePoint don't seem to be vulnerable to the attacks. 

Security researchers at Eye Security first discovered the flaws on July 18th. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to enable Antimalware Scan Interface (AMSI) and Microsoft Defender AV on all SharePoint servers. 

If AMSI can't be enabled, they are advised to immediately disconnect the affected servers from the network until further resolution.