SharePoint “ToolShell” Exploit: Guidance for CISOs

• What Happened: A critical zero-day (CVE-2025-53770) is being actively exploited in on-premises Microsoft SharePoint servers, enabling unauthenticated remote code execution and credential theft.
  
  

• Why It Matters: Dozens of government and enterprise organizations have already been breached. The exploit grants full system access and enables persistence even after patching.
  
  

• What’s Next: This vulnerability does not impact Microsoft 365 or SharePoint Online. Abnormal customers remain protected.

A newly discovered vulnerability in Microsoft SharePoint Server (CVE-2025-53770), known as “ToolShell,” is being actively exploited to compromise vulnerable on-premises environments. The flaw stems from a deserialization issue in a legacy SharePoint endpoint (ToolPane.aspx), allowing attackers to execute arbitrary code without authentication.

Once exploited, attackers deploy web shells, steal cryptographic machine keys, and persist in environments long after patching by forging authentication tokens. The vulnerability is a variant of an earlier SharePoint bug patched in July, but attackers have already bypassed the original fix, signaling a high level of sophistication.

This is not the average spray-and-pray attack. The exploitation is precise, persistent, and highly strategic—reminiscent of earlier campaigns like Hafnium (Exchange) and Midnight Blizzard (Outlook Web Access).

Confirmed intrusions span U.S. federal and state agencies, universities, energy firms, and telecommunications providers. In some cases, attackers stole sensitive documents or wiped public repositories entirely. The scale and speed of exploitation indicate likely nation-state involvement and well-coordinated objectives.

Critically, many organizations still rely on hybrid infrastructure. While SharePoint Online (Microsoft 365) is not vulnerable, many enterprises and governments continue to operate on-prem SharePoint servers for compliance, control, or legacy integration. Those systems are now high-risk.

This has led to understandable confusion at the executive level. Many stakeholders simply hear “SharePoint breach” and assume Microsoft 365 is involved. Security leaders must be prepared to provide clarity and assurance.

Patch Immediately and Assess Exposure

• Apply Microsoft’s emergency updates to all affected on-prem SharePoint servers.

• Identify any systems still running unpatched or legacy versions and isolate them if needed.

Revoke Persistence Mechanisms

• Rotate machine keys, auth certificates, and session tokens that may have been compromised.

• Treat patching alone as insufficient—assume advanced attackers aimed for long-term access.

Harden External Access and Network Controls

• Remove or restrict public access to SharePoint servers via VPN, proxy, or zero trust solutions.

• Deploy WAF rules to detect or block known exploit patterns.

Conduct Threat Hunting and Forensic Review

• Search for indicators of compromise (e.g., unusual .aspx files, forged tokens, suspicious logins).

• Use EDR, AMSI, and Defender logs to detect web shells or post-exploitation activity.

This vulnerability does not impact Microsoft 365 or any cloud-hosted SharePoint instances. Abnormal customers using Microsoft 365 remain unaffected.

However, Abnormal understands the broader risk: attackers may use compromised SharePoint servers to conduct phishing, lateral movement, or credential abuse. Our platform is already tuned to detect behavioral anomalies, compromised identities, and suspicious collaboration activity that could originate from these attacks.

Abnormal continues to monitor this threat and will respond to any spillover campaigns or signals observed in Microsoft 365 environments. If you’re an Abnormal customer, your collaboration layer remains under active protection.

See the current CISA advisory for additional information.

For even more insights into the threat landscape and predictions for where it’s headed, download our report, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.