[German]Does anyone in the readership operate a SharePoint server that is accessible via the Internet? If so, the house may be on fire. Since yesterday, I have been receiving information that SharePoint servers have been attacked via 0-day exploits since July 18, 2025. This blog post will be updated – we have now the first patches.
Advertising
A note from a reader from 19.7.
A blog reader informed me on Saturday, July 19, 2025 via a private message on Facebook about attacks on on-premise SharePoint servers.
Sophos has detected attacks on SharePoint instances via the ToolShell exploit since July 18, 2025. The exploit uses CVE-2025-49704 and CVE-2025-49706 and became public at Pwn2Own in Berlin in May 2025. Code White GmbH already announced in this tweet on July 14, 2025 that this exploit chain could be traced.
But these vulnerabilities, which are being massively attacked according to the above report, are not the real problem. Microsoft has already released security updates for these vulnerabilities on July 8, 2025. This vulnerability has therefore been eliminated from patched SharePoint servers. I didn't pick up on this promptly, but wanted to analyze it later.
Also Unit42 reported in a tweet, that an active global exploitation of the critical Microsoft SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 has been observed.
Attacks via vulnerability CVE-2025-53770
Reports are now flooding the Internet that attacks on SharePoint are being carried out via the vulnerability CVE-2025-53770 (a variant of CVE-2025-49706, mentioned above). This is a problem in the deserialization of untrusted data in local Microsoft SharePoint servers. This allows an unauthorized attacker to execute code over a network.
Advertising
WatchTower has published a warning on X and writes that there are attacks via CVE-2025-53770 on SharePoint servers:
A SharePoint zero-day (CVE-2025-53770) is currently being actively exploited, with attackers stealing MachineKey secrets to forge __VIEWSTATE and maintain RCE. There is no patch.
If you expose SharePoint to the internet, assume a security breach.
However, there is still no patch for the vulnerability. Microsoft is currently preparing a comprehensive update to fix this vulnerability and is still testing it. A description including information on mitigation can be found under CVE-2025-53770.
Customers who have enabled the AMSI integration feature and use Microsoft Defender across their SharePoint Server farm(s) are protected from this vulnerability
So the AMSI integration and Microsoft Defender are supposed to provide protection. In this blog post, Eye Research describes the ToolShell attack via the vulnerability.
Updates for some SharePoint Server versions
Addendum: Microsoft has has now released security updates for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019. Microsoft SharePoint Server 2016 is currently still missing, as you can check here.
Advertising
