Microsoft Issues Emergency Alert Over Critical SharePoint Vulnerability
Microsoft has issued an urgent alert to businesses and government agencies warning of active cyberattacks targeting a critical zero-day vulnerability in on-premises SharePoint Server, dubbed “ToolShell” and tracked as CVE-2025-53770 with a high CVSS score of 9.8.
Attackers are currently exploiting this flaw to install webshells and exfiltrate cryptographic secrets, granting them persistent and unauthenticated access to affected servers. The company has confirmed that “SharePoint Online” services hosted in the Microsoft 365 cloud are not impacted. While Microsoft works on a security patch, customers are strongly advised to apply mitigation instructions immediately and, if protection cannot be enabled, to disconnect at-risk servers from the internet to limit the exposure.
Authorities and Security Partners Mobilize as Exploits Surge
The FBI has acknowledged ongoing attacks linked to this vulnerability and is working with federal and private-sector partners to counter the threat.
Microsoft’s alert highlights that tens of thousands of servers could be at risk, with dozens of systems already confirmed as compromised in attacks occurring between July 18 and July 19. Reports note that these attacks are part of a “zero day” campaign, meaning attackers exploited the flaw before patches or even public awareness existed.
Immediate Action Recommended, Broader Security Updates Released
In addition to the “ToolShell” flaw, Microsoft disclosed another related SharePoint vulnerability (CVE-2025-53771) involving network spoofing attacks, which allows authorized attackers to masquerade as trusted entities.
Security updates addressing these and closely related issues have been released; all users are urged to deploy them immediately. Experts emphasize the risk: the vulnerabilities enable attackers not only to execute code remotely but also to hide their identities and launch further attacks on internal networks. Organizations unable to update at this time are advised to disconnect vulnerable SharePoint servers until fixes are fully in place.