Microsoft on Saturday warned that hackers are exploiting a critical vulnerability in SharePoint, dubbed ToolShell, to launch attacks against on-premises customers.
The vulnerability, tracked as CVE-2025-53770, involves deserialization of untrusted data and is a variant of CVE-2025-49706.
The Cybersecurity and Infrastructure Security Agency (CISA) on Sunday said the vulnerability can allow a malicious adversary to gain full access to SharePoint content, including file systems and internal configurations.
“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” Chris Butera, acting executive assistant director for cybersecurity said in a statement. “Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.”
The agency urged all organizations with on-premise Microsoft SharePoint servers to rapidly implement mitigations.
Microsoft on Sunday released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771, and urged customers to immediately apply the patches.
Hackers have already breached dozens of vulnerable systems in at least two attack waves, according to researchers at Eye Security, which first disclosed the flaw on Saturday and said they had scanned more than 8,000 SharePoint servers worldwide.
Researchers from watchTowr said exploitation may have begun as early as July 16.
The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, The Washington Post reported.
The Multi-State Information Sharing and Analysis Center has already notified more than 150 actively targeted state and local government agencies, a spokesperson told Cybersecurity Dive. It said it had detected more than 1,100 vulnerable servers, including some belonging to K-12 school districts and universities.
Google’s Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers, an executive said on LinkedIn.
Shadowserver on Sunday said it was tracking 9,300 exposed IPs and was working with watchTowr and Eye Security to notify affected customers.
Earlier this month, researchers at Code White GmbH demonstrated ToolShell using a combination of CVE-2025-49706 and CVE-2025-49704.
