Security experts are urging organizations with on-premises SharePoint Servers to deploy emergency patches amid attacks that have reportedly led to compromises worldwide.
Security experts are urging organizations with on-premises Microsoft SharePoint Servers to deploy emergency patches amid widespread cyberattacks that have reportedly compromised numerous companies and government agencies globally.
The ongoing cyberattack campaign—known as “ToolShell”—is exploiting a pair of vulnerabilities that impact on-premises SharePoint Servers. Microsoft has made patches available for some of the affected versions of SharePoint Server, but not all impacted versions have available patches as of this writing.
[Related: Microsoft Patches ‘Wormable’ Critical Flaw, Discloses ‘Whopping’ Number Of Bug Fixes]
In a customer guidance advisory, Microsoft said it “is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities,” which are tracked at CVE-2025-53770 and CVE-2025-53771.
What follows are five things to know on the Microsoft SharePoint Server “ToolShell” attacks.
Available Patches
Microsoft has released emergency patches to address the vulnerabilities in the SharePoint Server Subscription Edition and SharePoint Server 2019.
“Customers should apply these updates immediately to ensure they’re protected,” Microsoft said in its customer guidance advisory.
However, as of this writing, patches were not yet available for Microsoft SharePoint Server 2016. The company said in the advisory that it is working on the SharePoint Server 2016 fixes.
The flaws only affect on-premises SharePoint Servers and do not impact SharePoint Online in Microsoft 365, Microsoft noted.
‘Widespread Impact’
Security researchers have indicated that the attacks have claimed a large number of victims so far.
Researchers at cybersecurity vendor watchTowr are “seeing widespread impact across hundreds of organizations—including those that many would consider ‘incredibly sensitive,’” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr, in an email statement Monday.
Those include government organizations and educational institutions, as well as organizations that manage critical infrastructure, he said.
Notably, exploitation has been “indiscriminate”—even from a geographic perspective—and attacks have been underway since at least July 17, Dewhurst said in the email statement. The U.S., Germany, France and Australia are “currently bearing the brunt of exploitation activity,” he said in the statement.
The attacks are believed have compromised victims including U.S. government agencies as well as state agencies, universities and corporations, according to a report from The Washington Post.
In response to an email from CRN seeking further comment Monday, Microsoft referred to the customer guidance advisory posted online.
‘Assume Compromise’
Threat researchers say that organizations with on-premises SharePoint Servers exposed to the internet should assume they are compromised.
In an email statement provided to CRN, Michael Sikorski, CTO and head of threat intelligence at Palo Alto Networks’ Unit 42, described the attacks as a “high-impact, ongoing threat campaign.”
“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat,” Sikorski said in the statement.
The comment was echoed by watchTowr CEO Benjamin Harris, who said in an email statement that “if an affected SharePoint instance is exposed to the internet, it should be treated as compromised until proven otherwise.”
Unauthenticated Access
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that exploitation of the remote code execution vulnerability tracked at CVE-2025-53770 has been “enabling unauthorized access to on-premise SharePoint servers” for threat actors.
The exploitation activity “provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” CISA said in the advisory.
Unit 42’s Sikorski said that after bypassing identity controls to gain access to SharePoint servers, attackers are “exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys.”
Additionally, “what makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker,” Sikorski said in the email statement.
Patch Now
Ultimately, “this is a high-severity, high-urgency threat,” Sikorski said in the statement. “We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response.”
For SharePoint Servers that do not currently have available patches, a “band-aid fix” would be to unplug the SharePoint Servers from the internet until fixes are released, he said.
In its advisory, CISA recommended a series of actions to reduce risks from the threat, including configuring the Antimalware Scan Interface capability in SharePoint and deploying Microsoft Defender antivirus on SharePoint servers.
If Antimalware Scan Interface cannot be enabled, “disconnect affected products from service that are public-facing on the internet until official mitigations are available,” CISA said in the advisory.
