The Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a newly identified remote code execution (RCE) vulnerability affecting on-premise Microsoft SharePoint servers. The vulnerability, cataloged as CVE-2025-53770, is a variant of the previously known CVE-2025-49706 and presents significant risks to organizations by enabling unauthorized access.
Microsoft SharePoint hit by widespread zero-day attacks and issues guidance on vulnerability (CVE-2025-53770)
Publicly referred to as “ToolShell,” this exploitation technique grants unauthenticated actors full access to SharePoint systems, including file structures, internal configurations, and the ability to execute code remotely across networks. While assessments of its full scope and impact are ongoing, security officials urge immediate attention to mitigate potential damages.
Recommended actions from CISA
To reduce the risk associated with CVE-2025-53770, CISA recommends organizations take the following steps:
- Configure the Antimalware Scan Interface (AMSI) in SharePoint and ensure Microsoft Defender Antivirus is deployed across all SharePoint servers.
- For organizations unable to enable AMSI, disconnect affected public-facing products from the internet until official mitigations are released. Apply any forthcoming mitigations as instructed by CISA and Microsoft.
- Follow applicable Binding Operational Directive (BOD) 22-01 guidelines for cloud services or discontinue product use if no mitigations are available.
- Refer to Microsoft’s published Customer Guidance for SharePoint Vulnerability and the advisory for CVE-2025-49706 for detailed detection, prevention, and threat-hunting information.
- Monitor for POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.
- Conduct scans for the following IP addresses, with particular attention to traffic between July 18–19, 2025:
- 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147.
- Update intrusion prevention systems (IPS) and web application firewall (WAF) rules to block known exploit patterns and anomalous activities. CISA provides further details in its Guidance on SIEM and SOAR Implementation.
- Implement comprehensive logging strategies to aid in identifying exploitation activities. More information is available in CISA’s Best Practices for Event Logging and Threat Detection.
- Review and reduce unnecessary layout and administrative privileges.
CVE-2025-53770 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. Additional insights are available through reports by Eye Security and Palo Alto Networks Unit42.