Unprecedented Flaw in On-Premises SharePoint Version: Info on Exploitation and Mitigation Strategies

Unprecedented Flaw in On-Premises SharePoint Version: Info on Exploitation and Mitigation Strategies

Headline: Urgent Action Required: Global SharePoint Server Hack Affects Thousands, Threatens Critical Data

Thousands of organizations worldwide have been impacted by a sophisticated attack on self-hosted Microsoft SharePoint Server instances, according to recent reports. The attack, known as the ToolShell exploit chain, has compromised at least 75 organizations globally, including U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm.

The ToolShell exploit chain targets on-premises SharePoint Server instances by combining two critical vulnerabilities—CVE-2025-53770 and CVE-2025-53771—to achieve unauthenticated remote code execution (RCE). The attack begins with a specially crafted POST request to the SharePoint endpoint , leveraging insecure deserialization (CVE-2025-53770) and an authentication bypass via path traversal (CVE-2025-53771). This allows threat actors to execute server-side PowerShell commands and deploy a malicious web shell (e.g., ) in the SharePoint layouts directory without valid credentials.

Once the web shell is deployed, attackers exploit it further to extract critical cryptographic secrets from the SharePoint server—specifically the ValidationKey and DecryptionKey. These keys enable the attackers to forge authentication tokens and craft signed payloads indistinguishable from legitimate traffic. This capability grants persistence and full remote code execution, effectively allowing threat actors to regain access even after patching or removal of the initial web shell.

Impact and Scale

Approximately 5% of scanned organizations with SharePoint servers remain vulnerable, particularly those running SharePoint Server 2016, 2019, and Subscription Edition that have not applied emergency patches. The attack has compromised at least 75 organizations globally, with reports of over 400 victims by mid-July 2025.

Mitigations

Immediate application of emergency Microsoft patches (July 2025) for SharePoint Server 2016, 2019, and Subscription Edition is critical to block the vulnerabilities and prevent further exploitation. Earlier July Patch Tuesday fixes were found inadequate, prompting rapid follow-up updates with "more robust protections."

Administrators should also scan for the presence of the malicious web shell (e.g., ) and review logs for suspicious POST requests targeting endpoints or unexpected Referer headers used in bypass attempts.

Since theft of the ValidationKey and DecryptionKey leads to persistent risk, affected organizations should consider rotating these cryptographic keys, which may involve restoring from backups, replacing cryptographic secrets, or re-deploying SharePoint environments if necessary. Patching alone does not guarantee full remediation if attackers accessed these keys prior to patching.

Network-level protections, such as restricting access to SharePoint administrative endpoints via firewall rules and ensuring servers are not exposed directly to the internet, reduce the attack surface. Continuous monitoring for anomalous authentication tokens or unexpected signed payloads since attackers can generate legitimate-seeming requests using stolen keys is also recommended.

Observed Exploitation Attempts

Exploitation attempts have been observed from IPs 107.191.58.76, 104.238.159.149, and 96.9.125.147 (July 17-19, 2025). Microsoft has released patches for SharePoint Server 2019 and Subscription Edition, with SharePoint Server 2016 patches still in development.

The malicious file, , is uploaded to the path . A related spoofing flaw, CVE-2025-53771 (CVSS score: 6.3), involves path traversal and further exacerbates the threat. The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition but does not impact SharePoint Online in Microsoft 365.

The file's SHA256 hash is 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514.

Organizations are urged to take immediate action to secure their SharePoint servers and protect against this global threat.

1. Thousands of organizations are in need of support as they grapple with a significant hack on their self-hosted Microsoft SharePoint Server.
2. The network of impacted organizations spans numerous industries worldwide, including government, education, finance, and energy sectors.
3. Productivity within these organizations may be hampered due to the threatened exposure of critical data.
4. The web-based nature of the attack means that cybersecurity measures need to be tightly secured to prevent further intrusion.
5. Development teams need to expedite the application of emergency patches released by Microsoft to protect against the ToolShell exploit chain.
6. The cybersecurity industry stands at a critical juncture, with the threat requiring immediate attention and investment.
7. Wealth-management firms should particularly be vigilant as high-level data and financial information might be at risk.
8. Businesses and individuals dealing with personal-finance matters should ensure their digital assets are secure to safeguard their investments.
9. Data-and-cloud-computing professionals need to review and enhance their security protocols to protect against similar attacks in the future.
10. The technology landscape must evolve to provide robust protections against sophisticated cyber threats such as the ToolShell exploit chain.
11. To bolster their cybersecurity education and self-development efforts, professionals should focus on understanding the latest trends in the industry.
12. Politicians must prioritize policies that strengthen the country's cybersecurity infrastructure to protect against foreign attacks.
13. The general public should stay informed about the latest general news related to cybersecurity and data breaches to understand the risks involved.
14. Crime-and-justice authorities should collaborate with cybersecurity experts to track down those responsible for these attacks and bring them to justice.
15. Sports enthusiasts, football fans, or NFL spectators who engage in sports betting should exercise caution to prevent their personal and financial information from being compromised.
16. The WNBA, baseball, hockey, golf, and other sports leagues and associations should enhance their cybersecurity measures to protect against potential data breaches.
17. Mixed-martial-arts organizations should take heed of the potential risks associated with high-profile cyberattacks, such as the theft of private information or financial assets.
18. In the realm of basketball, NBA and NCAA basketball teams must work diligently to secure their digital assets, ensuring the protection of their players' and staff's personal information.
19. MLB, NHL, racing, and American football organizations should assess their cybersecurity vulnerabilities to avoid falling victim to similar attacks down the line.
20. Tennis players, coaches, and organizations should implement strong cybersecurity practices to protect their sensitive data from unauthorized access.
21. Sports analysts, auto-racing enthusiasts, and horse-racing aficionados should be mindful of potential risks as cyberattacks can target individuals and events across various sports.
22. News and media outlets should provide thorough sports-analysis and up-to-date cybersecurity reports, informing the public about the latest developments, threats, and safeguards in play.

Read also: