Agencies confront imminent deadline for addressing SharePoint security weakness
Critical SharePoint Zero-Day Vulnerability Under Active Exploitation
A critical remote code execution (RCE) vulnerability, known as CVE-2025-53770 or "ToolShell," has been discovered in Microsoft's on-premises SharePoint Server versions. This vulnerability, which allows unauthenticated attackers to execute arbitrary code remotely, has been actively exploited since early July 2025.
Impact and Scope
Thousands of compromise attempts have been recorded globally against over 300 organizations, spanning various sectors such as government, telecommunications, software, healthcare, finance, education, and manufacturing. The attack campaign has also leveraged vulnerabilities in Ivanti EPMM software in some instances.
Microsoft released emergency patches around July 20, 2025, but the risk remains high, particularly for on-premises SharePoint servers exposed to the internet. SharePoint Online and Microsoft 365 services are not affected. However, attackers can maintain persistent access even after patching by stealing access keys.
Federal Agencies Affected
At least two U.S. federal agencies have reported breaches via this vulnerability. The FBI is actively involved in the response, coordinating with federal government and private sector partners. The vulnerability is under investigation by U.S. government agencies, including CISA and the FBI, and international partners in Canada and Australia.
Recommended Actions
Charles Carmakal, senior vice president of Mandiant, recommends that organizations assume compromise, investigate, and take remediation actions. Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks, urges organizations running on-premises SharePoint to take immediate action, apply all relevant patches, rotate all cryptographic material, and engage professional incident response.
Microsoft advises organizations to use Microsoft Defender or another endpoint detection and response capability for their on-premise SharePoint servers. Organizations are also advised to activate and configure the "Antimalware Scan Interface" for their on-premise SharePoint servers. Disconnecting on-premise SharePoint servers from the internet is a temporary fix until a patch is available.
CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action. CISA has added the SharePoint vulnerability to its known exploited vulnerabilities catalog. The agency has confirmed "active exploitation" of the SharePoint vulnerability.
Unit 42's telemetry confirms that government entities globally have been impacted by the SharePoint vulnerability. However, CISA did not confirm whether any federal civilian agencies have been affected by the SharePoint vulnerability.
[1] Microsoft Security Advisory (July 2025) [2] FBI Statement (July 2025) [3] The Washington Post (July 2025) [4] Palo Alto Networks Unit 42 Research (July 2025)
The federal workforce, including at least two U.S. agencies, is grappling with the consequences of a critical SharePoint Zero-Day Vulnerability (CVE-2025-53770 or "ToolShell") that has been actively exploited since early July 2025. To mitigate this vulnerability, the reimagined workforce must take immediate actions, such as applying patches, rotating cryptographic material, and engaging professional incident response, particularly for on-premises SharePoint servers. Cybersecurity efforts must prioritize the use of technology, such as Microsoft Defender, to secure these servers and protect against ongoing attacks.
