Unveiling a Severe, Unpatched SharePoint On-Premises Vulnerability: Insights and Mitigation Strategies

Unveiling a Severe, Unpatched SharePoint On-Premises Vulnerability: Insights and Mitigation Strategies

Critical Security Alert: Active Exploitation of SharePoint Server Vulnerabilities

A series of vulnerabilities in Microsoft SharePoint Server on-premises installations, specifically versions prior to 16.0.5508.1000 for SharePoint Server 2016, 16.0.10417.20027 for SharePoint Server 2019, and 16.0.18526.20424 for SharePoint Server Subscription Edition, are currently being actively exploited by attackers.

The ToolShell exploit chain is targeting a deserialization vulnerability (CVE-2025-53770), allowing unauthenticated remote code execution (RCE) and full control over affected systems. A related spoofing flaw, CVE-2025-53771 (CVSS score: 6.3), has also been identified and involves path traversal.

To mitigate this threat, organizations should immediately apply the official Microsoft security updates for supported SharePoint versions (2016, 2019, Subscription Edition) as these fully protect against the vulnerability. If patching cannot be done immediately, isolate or disconnect affected SharePoint servers from the internet to prevent exploitation.

Additional recommended mitigation steps include:

1. Enable and properly configure the Antimalware Scan Interface (AMSI) with Defender Antivirus on all SharePoint servers to detect and block malicious activity. AMSI can prevent unauthenticated exploit attempts.
2. Rotate SharePoint Server ASP.NET machine keys to invalidate any persistence mechanisms the attacker may have implanted.
3. Review logs and use available detection queries or Indicators of Compromise (IoCs) such as suspicious requests to ToolPane.aspx or rogue .aspx files, and promptly remove any malicious web shells or unauthorized artifacts identified.
4. Utilize network segmentation and Web Application Firewall (WAF) rules to block known exploitation paths and isolate SharePoint servers to prevent lateral movement if compromised.
5. Deploy endpoint detection and response (EDR) tools such as Microsoft Defender for Endpoint to detect and investigate activity linked to this vulnerability.

For unsupported versions like SharePoint 2010 or 2013, no patches exist; affected servers should be either upgraded to supported versions or taken offline, with virtual patching via network segmentation applied if continued operation is necessary.

In summary, the critical steps are patching with Microsoft’s official updates, enabling AMSI and Defender Antivirus, isolating vulnerable servers if patching is delayed, monitoring for suspicious activity, and removing any malicious artifacts found. This multi-layered approach will effectively mitigate active CVE-2025-53770 exploitation in on-premises SharePoint environments.

Organizations should assume compromise and act immediately. The attack has compromised at least 75 organizations globally, including U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm. To detect and block post-exploit activity, deploy Microsoft Defender for Endpoint or equivalent solutions.

Microsoft has provided urgent mitigation steps for on-premises SharePoint servers and has released patches for SharePoint Server 2019 and Subscription Edition, with patches for SharePoint Server 2016 still in development. Patches for SharePoint Server 2016 are not yet available; monitor Microsoft’s MSRC blog for updates.

It is strongly recommended to follow Cyber Hygiene Best Practices, including regular patching and key rotation, and to Implement Comprehensive Logging following CISA's Best Practices for Event Logging and Threat Detection. After applying patches or enabling AMSI, rotate SharePoint's ASP.NET machine keys (ValidationKey and DecryptionKey) to invalidate stolen keys. Monitor IIS logs for suspicious POST requests and scan network logs for activity from the identified IPs.

For SharePoint Server Subscription Edition, install KB5002768 (version 16.0.18526.20424). SharePoint Server 2019 should install KB5002754 (version 16.0.10417.20027). Upgrade to supported SharePoint versions (2016, 2019, or Subscription Edition) to ensure patch availability. Engage professional incident response teams to assess compromise scope, as attackers may have established persistent access.

Key IoCs include the presence of spinstall0.aspx in the specified path, exploitation attempts from specific IPs, and POST requests to /_layouts/15/ToolPane.aspx with a referer of /_layouts/SignOut.aspx. Monitor for the presence of spinstall0.aspx using Microsoft 365 Defender queries.

Update Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF) to block exploit patterns and anomalous behavior targeting /_layouts/15/ToolPane.aspx. Deploy Microsoft Defender Antivirus in Full Mode for optimal protection across all SharePoint servers.

Sources: [1] Microsoft Security Response Center (MSRC) Blog - Link [2] CISA - Link [3] Microsoft Defender for Cloud - Link [4] Microsoft Defender for Endpoint - Link [5] Microsoft 365 Defender - Link

1. The ongoing exploitation of SharePoint Server vulnerabilities necessitates immediate development of a strategy for cybersecurity reinforcement in cloud-based and network-connected business environments.
2. Support from productivity-focused technology solutions can aid organizations in data management during this critical phase, facilitating efficient decision-making and timely response.
3. Given the web-based nature of these attacks, security measures must extend beyond just the SharePoint servers, encompassing general-news and education-and-self-development platforms to keep abreast of the latest developments in cybersecurity.
4. In the finance industry, investing in cybersecurity and wealth-management services becomes paramount to safeguard personal-finance and business assets from potential theft during this period of heightened risk.
5. As the vulnerabilities affect multiple industries, including universities, energy companies, and telecommunications firms, a united front in cybersecurity efforts is necessary for collective resistance and resilience.
6. In light of the current situation, politics plays a significant role in shaping national and international cybersecurity policies, with policymakers increasingly focusing on data-and-cloud-computing regulations to mitigate the impact of such incidents.
7. Beyond SharePoint, sports organizations such as the NFL, NCAA Football, and even football leagues worldwide should equally fortify their cybersecurity, given the interconnectedness and reliance on technology in modern sports management and administration.
8. To effectively manage the long-term consequences of this cyberattack, organizations must engage in continuous education and self-development to ensure they have the necessary skills to stay ahead of evolving cyber threats in the future.
9. On the other hand, criminals may capitalize on the confusion and chaos caused by this attack to commit various crimes and justice-related offenses, necessitating increased vigilance in the crime-and-justice sector.
10. In the aftermath of this cyber incident, it is essential to closely monitor security trends in the industry, learning from best practices and mistakes made to improve overall cybersecurity posture for the benefit of all organizations.
11. As the situation unfolds, staying informed on industry developments, especially via industry-specific news outlets, will help organizations adapt their strategies and remain resilient in the face of such threats.
12. As more information becomes available, organizations should maintain open communication channels with their network of partners and colleagues to collaborate and share insights, ultimately strengthening the overall defense against cyber threats.
13. It is crucial for organizations to remember that a strong security posture is an ongoing endeavor, requiring constant vigilance, productivity-boosting tools, and the support of industry peers to minimize the potential harm from such critical attacks.

Read also: