The security update for SharePoint Server 2016 means that patches for ‘all supported versions of SharePoint’ are now available to protect against a pair of widely exploited vulnerabilities, the tech giant says.
Microsoft released the final remaining SharePoint Server patch Monday needed to protect against a pair of widely exploited vulnerabilities, which have fueled a global wave of cyberattacks against on-premises SharePoint customers in a campaign known as “ToolShell.”
The release of the security update for SharePoint Server 2016 means that patches for “all supported versions of SharePoint” affected by the flaws are now available, Microsoft said in an update Monday to its customer guidance advisory posted online.
[Related: China-Based Threat Actor Involved In Microsoft SharePoint Attacks: Mandiant CTO]
The ToolShell cyberattack campaign involves exploitation of on-premises Microsoft SharePoint Servers using a critical-severity remote code execution vulnerability (tracked at CVE-2025-53770) chained to a spoofing vulnerability (tracked at CVE-2025-53771). Researchers have estimated that at least several hundred organizations globally have been compromised so far, reportedly including U.S. government agencies, educational institutions and organizations that manage critical infrastructure.
On Sunday, Microsoft released emergency patches to address the vulnerabilities in the SharePoint Server Subscription Edition and SharePoint Server 2019, and said it was working on the remaining fixes for SharePoint Server 2016.
The final patch for was released shortly before 7 p.m., EDT, on Monday with the release of the security update for Microsoft SharePoint Enterprise Server 2016 (KB5002760), according to a post from the Microsoft Security Response Center on X.com. “Customers should apply these updates immediately to ensure they’re protected,” the post said.
The flaws do not impact SharePoint Online in Microsoft 365, Microsoft has said.
In its customer guidance advisory, Microsoft has also called it “critical” that customers rotate their SharePoint server keys, known as ASP.NET machine keys, in addition to patching.
“If you don’t rotate those keys, even if you patch the server, then that attacker still has access,” said Nick Hyatt, senior threat intelligence analyst at GuidePoint Security, in an interview with CRN Monday.
A researcher at cybersecurity vendor watchTowr, Ryan Dewhurst, said in an email to CRN Monday that the attacks have led to “widespread impact across hundreds of organizations—including those that many would consider ‘incredibly sensitive.’”
“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario,” said Dewhurst, head of proactive threat intelligence at watchTowr, in the email.
China-Based Actor Implicated
Charles Carmakal, CTO at Google Cloud-owned Mandiant Consulting, disclosed earlier Monday that while multiple threat actors have been involved in the compromises so far, indications of involvement originating from China have been observed.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” Carmakal said in a statement provided by email.
“It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” he said in the statement. “We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”
In addition to nation-state attackers, security researchers suggested to CRN Monday that it’s likely that financially motivated threat actors are also seeking to exploit the critical SharePoint vulnerability.
