"We’re witnessing an urgent and active threat" — Microsoft SharePoint "ToolShell" vulnerability is being attacked globally

Global attacks forced Microsoft to push emergency updates to address vulnerabilities. Two zero-day vulnerabilities are at the center of attacks against United States federal and state agencies, universities, and energy companies. An Asian telecommunications company was also attacked.

The Washington Post reported on the attacks, which were first discovered on July 18, 2025 by Eye Security. It has since been determined by cyber security company Check Point that the first signs of exploitation were on July 7, 2025.

Microsoft has since released emergency patches for the vulnerabilities, though they are limited to select versions of SharePoint.

The term "zero-day" attack refers to when a previously unknown vulnerability is targeted. Tens of thousands of servers are said to be at risk.

While the issue is serious, it differs from several previous vulnerabilities related to Microsoft. The attack only affects on-premises servers; cloud-based servers are unaffected.

The vulnerabilities, labeled CVE-2025-53770 and CVE-2025-53771, are discussed in detail in a Microsoft Defender Vulnerability Management blog post.

That same post also discussed issues labeled CVE‑2025‑49704 and CVE‑2025‑49706, which were fixed with the July 8, 2025 updates from Microsoft. Those vulnerabilities can still, however, be exploited if an attacker uses the newly discovered exploits.

The out-of-band security updates are for Microsoft SharePoint Server 2019 and Microsoft SharePoint Subscription Edition. A patch has not been released for Microsoft SharePoint Enterprise Server 2016 as of the time of publication.

What is ToolShell?

ToolShell is the nickname for the attacks targeting the vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771. Those vulnerabilities are under "active exploitation," according to Check Point.

Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, discussed the situation:

“We’re witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk. Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7. We strongly urge enterprises to update their security systems immediately — this campaign is both sophisticated and fast-moving.”

Check Point recommends organizations take the following steps to reduce risk:

• Ensure that your Anti-Malware Scan Interface is enabled.
• Rotate SharePoint Server ASP.NET machine keys.
• Deploy Harmony Endpoint to block post-exploit activities on the server.
• If applicable, limit access to the SharePoint Server from the Internet using Private Access tools.
• Update Quantum Gateway IPS Package 635254838 and ensure that the protection is set to Prevent and inspect the traffic of your SharePoint servers.

Microsoft recommends several steps for mitigation, including applying patches immediately where updates exist. The company also suggests enabling Antimalware Scan Interface (AMSI), rotating MachineKey twice, temporarily removing public exposure, hunting for indicators, and isolating suspected hosts.