“`html

On Sunday, July 20, Microsoft Corp. released an urgent security update for a vulnerability in SharePoint Server that is currently being exploited to breach susceptible organizations. This fix follows reports that malicious actors have leveraged the SharePoint flaw to infiltrate U.S. federal and state agencies, universities, and energy firms.

In a notification concerning the SharePoint security vulnerability, referred to as CVE-2025-53770, Microsoft indicated it is aware of ongoing assaults targeting on-premise SharePoint Server clients and exploiting weaknesses that were only partially mitigated by the July 8, 2025 security update.

The Cybersecurity & Infrastructure Security Agency (CISA) agreed, stating that CVE-2025-53770 is a variant of a flaw that Microsoft addressed earlier this month (CVE-2025-49706). Microsoft specifies that the exposure pertains solely to SharePoint Servers utilized internally by organizations, while SharePoint Online and Microsoft 365 remain unaffected.

The Washington Post reported on Sunday that the U.S. government and its counterparts in Canada and Australia are probing the breach of SharePoint servers, which serve as a platform for document sharing and management. The Post indicates that at least two U.S. federal entities have experienced server breaches due to the SharePoint vulnerability.

CISA reported that attackers exploiting this newly identified weakness are retrofitting compromised servers with a backdoor known as “ToolShell,” which grants unauthorized, remote access to systems. CISA noted that ToolShell allows attackers to gain full visibility into SharePoint content — encompassing file systems and internal configurations — and to execute code across the network.

Experts at Eye Security stated they first detected large-scale exploitation of the SharePoint flaw on July 18, 2025, and subsequently discovered numerous separate servers compromised by the bug and infected with ToolShell. In a blog article, the researchers explained that the assaults aimed to snatch SharePoint server ASP.NET machine keys.

“These keys can facilitate additional attacks, even at a later date,” Eye Security cautioned. “It is imperative that vulnerable servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Merely patching is insufficient. We strongly urge defenders to take immediate action instead of waiting for a vendor fix. This threat is already operational and spreading quickly.”

Microsoft’s advisory mentions that the company has provided updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but is still developing updates for supported versions of SharePoint 2019 and SharePoint 2016.

CISA recommends that vulnerable organizations activate the anti-malware scan interface (AMSI) in SharePoint, deploy Microsoft Defender AV across all SharePoint servers, and isolate affected products from the public Internet until an official patch is released.

The security firm Rapid7 highlights that Microsoft has characterized CVE-2025-53770 as linked to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain showcased at the Pwn2Own hacking contest in May 2025. This exploit chain invoked a second SharePoint vulnerability — CVE-2025-49706 — which Microsoft attempted unsuccessfully to patch during this month’s Patch Tuesday.

Microsoft has additionally released a patch for a related SharePoint vulnerability — CVE-2025-53771; the company claims there are no indications of active attacks targeting CVE-2025-53771, and that the patch aims to afford more stringent protections than the update for CVE-2025-49706.

This situation is evolving rapidly. Any updates will be timestamped.

“`