Microsoft Warns of Widespread Cyberattack Targeting SharePoint Server Software

Microsoft has warned of widespread cyberattacks targeting its SharePoint server software, used by government agencies and businesses to share documents. The company has issued a security patch and urged customers to install it to mitigate the attacks. The attacks are targeting on-premises servers and Microsoft is advising customers to apply the patch as soon as possible.

Microsoft has warned of widespread cyberattacks targeting its SharePoint server software, used by government agencies and businesses to share documents. The company has issued a security patch and urged customers to install it to mitigate the attacks. The attacks are targeting on-premises servers and Microsoft is advising customers to apply the patch as soon as possible.

The vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, were disclosed by Microsoft on July 20, 2025. CVE-2025-53770 allows for remote code execution by exploiting a deserialization flaw in on-premises versions of SharePoint Server, while CVE-2025-53771 involves a spoofing vulnerability [1]. These flaws have been linked to a larger exploit chain, referred to as ToolShell, which has been patched as part of the company's July 2025 Patch Tuesday update [2].

Microsoft has acknowledged that these vulnerabilities have been actively exploited, with at least 54 organizations, including banks, universities, and government entities, already compromised. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 21, 2025 [3]. Palo Alto Networks Unit 42 has classified the threat as high-severity and high-urgency, urging organizations to apply the necessary patches immediately [1].

To mitigate potential attacks, Microsoft recommends using supported versions of on-premises SharePoint Server, applying the latest security updates, ensuring the Antimalware Scan Interface (AMSI) is turned on and enabled in Full Mode, deploying Microsoft Defender for Endpoint protection, and rotating SharePoint Server ASP.NET machine keys [1]. The company also advises customers to unplug their SharePoint servers from the internet until a patch is available, as a false sense of security could result in prolonged exposure and widespread compromise [1].

The development comes as federal cybersecurity authorities, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security, are working closely with Microsoft to address the issue. The FBI has confirmed it is aware of the attacks and is coordinating with federal and private sector partners [2].

References:
[1] https://thehackernews.com/2025/07/microsoft-releases-urgent-patch-for.html
[2] https://dallasexpress.com/business-markets/microsoft-warns-of-cyberattacks-exploiting-sharepoint-server-flaw/
[3] https://www.uctoday.com/unified-communications/microsoft-sharepoint-servers-under-attack-key-takeaways-to-stay-secure/