A critical zero-day vulnerability in Microsoft SharePoint is being actively exploited by attackers to gain unauthorized access to on-premise servers, according to a July 20 alert from the US Cybersecurity and Infrastructure Security Agency (CISA). The flaw, tracked as CVE-2025-53770, allows remote code execution and bypasses authentication, enabling threat actors to access internal files and execute code over the network.

“This exploitation activity… provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations,” CISA stated, adding that the attack pattern has been publicly referred to as “ToolShell.”

Microsoft acknowledged the issue in a July 19 advisory, confirming “active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.” The company emphasized that “SharePoint Online in Microsoft 365 is not impacted.”

While no attacker group has claimed responsibility, the campaign is believed to have started around July 18. Eye Security reported “active large-scale exploitation” and said it discovered “dozens of systems actively compromised.” Palo Alto Networks’ Unit 42 warned that the flaws “allow unauthenticated attackers to access restricted functionality.”

CISA said the vulnerability is a variant of the previously disclosed CVE-2025-49706 and has been added to its Known Exploited Vulnerabilities catalog. Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA, noted that “the scope and impact continue to be assessed,” but the vulnerability “poses a risk to organizations with on-premise SharePoint servers.”

Microsoft has since released full security updates for SharePoint Subscription Edition and SharePoint 2019, urging customers to patch immediately. “Customers should apply these updates immediately to ensure they’re protected,” the company said in its guidance. The FBI confirmed it is “aware of the matter, and we are working closely with our federal government and private sector partners.”

CISA has recommended that organizations enable AMSI, isolate affected systems from public internet exposure, and monitor for suspicious behavior, including POST requests to ToolPane.aspx paths and activity linked to specific IPs. Organizations have also been advised to audit admin privileges and enhance event logging to detect signs of compromise.