Microsoft is urging organizations to rotate machine keys for on-premises SharePoint Servers — an indicator that attackers are stealing the keys to enable further attacks, according to researchers.
Microsoft is urging organizations to rotate machine keys for on-premises SharePoint Servers impacted by widely exploited critical vulnerabilities — an indicator that attackers are stealing the keys to enable further cyberattacks, according to security researchers.
The zero-day vulnerabilities have been exploited as part of the “ToolShell” cyberattack campaign, an ongoing wave of attacks targeting organizations that use on-premises SharePoint Servers. Researchers have estimated that at least several hundred organizations have been compromised so far, reportedly including U.S. government agencies, educational institutions and organizations that manage critical infrastructure.
[Related: Five Things To Know On Microsoft SharePoint Server ‘ToolShell’ Attacks]
Microsoft has made patches available for some of the affected versions of SharePoint Server, but not all impacted versions have available patches as of this writing.
At the same time, it’s clear that deploying patches is just one part of what organizations will need to do to protect themselves from attacks — with key rotation being another essential step, security experts told CRN.
“This is not a situation where you patch and you’re done,” GuidePoint Security’s Nick Hyatt said in an interview with CRN Monday.
In its customer guidance advisory posted online, Microsoft called it “critical” that customers rotate their SharePoint server keys, known as ASP.NET machine keys, in addition to patching.
“If you don’t rotate those keys, even if you patch the server, then that attacker still has access,” said Hyatt, senior threat intelligence analyst at Herndon, Va.-based GuidePoint, No. 37 on CRN’s Solution Provider 500 for 2025. “An important takeaway here is, this is a case where patching is not enough.”
In addition to enabling an attacker to maintain access to an environment, stolen machine keys could also potentially provide a way for threat actors to access other Microsoft applications and services, experts said.
“My great concern is that this tool chain allows an attacker to not only get a foothold on that local machine [but also to] to move around,” said Trey Ford, CISO for the Americas at crowdsourced cybersecurity platform Bugcrowd.
“SharePoint is a trusted service, and Microsoft services are tightly integrated,” Ford told CRN. “That machine has a trusted identity, and has access to data and other systems, depending on how you’ve architected your relationships and your roles.”
As a result, it’s “entirely possible” that an attacker could gain access to data in other Microsoft services using stolen SharePoint Server keys, he said.
In other words, “when Microsoft says, ‘Update that key’ — do it,” Ford said.
On-Prem Persistence
The “ToolShell” cyberattack campaign involves exploitation of a pair of vulnerabilities (tracked at CVE-2025-53770 and CVE-2025-53771) that impact on-premises Microsoft SharePoint Servers.
While a large portion of organizations have moved to SharePoint Online in Microsoft 365 — which is not affected by the vulnerabilities — many government agencies and companies continue to use on-premises SharePoint Servers either out of necessity or perhaps without even realizing it, experts told CRN.
For instance, some companies involved in critical infrastructure may be unable to use a cloud version of SharePoint out of concerns such as the risk of downtime, Ford said.
“A lot of organizations, for a variety of reasons, cannot use the cloud. A lot of verticals don’t operate in the cloud as a standard,” he said. “So if you think oil and gas, or any of your energy sectors, a lot of your healthcare — the idea of their services going offline does not work.”
In other cases, a company may lack visibility into legacy on-premises SharePoint Servers that became a part of its IT infrastructure through M&A, Hyatt said.
“Maybe there’s an on-prem SharePoint Server that nobody uses anymore, but it perhaps got exposed to the internet, and you haven’t done an audit of your external-facing systems,” he said. “And now there’s an exposed SharePoint Server that was last used five or six years ago, but nobody knows about it.”
‘Widespread Impact’
A researcher at cybersecurity vendor watchTowr, Ryan Dewhurst, said in an email to CRN Monday that the attacks have led to “widespread impact across hundreds of organizations—including those that many would consider ‘incredibly sensitive.’”
“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario,” said Dewhurst, head of proactive threat intelligence at watchTowr, in the email.
In response to an email from CRN seeking comment Monday, Microsoft referred to its customer guidance advisory posted online.
Microsoft has released emergency patches to address the vulnerabilities in the SharePoint Server Subscription Edition and SharePoint Server 2019.
As of this writing, patches were not yet available for Microsoft SharePoint Server 2016. The company said in the customer guidance advisory that it is working on the SharePoint Server 2016 fixes.
