- • Microsoft released emergency patches for two critical zero-day vulnerabilities in SharePoint, CVE-2025-53770 (RCE, CVSS 9.8) and CVE-2025-53771 (spoofing, CVSS 6.3), actively exploited in the wild.
- • The vulnerabilities allow attackers to gain full control over on-premise SharePoint servers without authentication, leveraging a sophisticated exploit chain known as 'ToolShell'.
- • Active exploitation was first reported on July 19, 2025, with thousands of SharePoint servers worldwide affected, particularly in enterprise environments.
- • Organizations must apply the July Patch Tuesday updates immediately to mitigate these vulnerabilities and monitor for any signs of exploitation.
- • No specific threat actor attribution has been disclosed, but the scale of exploitation suggests a well-organized campaign targeting vulnerable systems.
Microsoft has issued urgent patches for two critical zero-day vulnerabilities in SharePoint, CVE-2025-53770 and CVE-2025-53771, which are being actively exploited to achieve remote code execution and server takeover. These flaws affect on-premise SharePoint servers, with widespread exploitation reported globally. Organizations must immediately apply the July Patch Tuesday updates to protect against these vulnerabilities and conduct thorough monitoring for signs of compromise. Additionally, security teams should review server configurations and implement strict access controls to mitigate potential risks from ongoing attacks.