Microsoft Issues Critical Updates for SharePoint Servers at Risk from “ToolShell”

David Leane on July 23, 2025


We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!

Microsoft Issues Critical Updates for SharePoint Servers at Risk from "ToolShell"

Quick Overview

  • Microsoft has issued critical patches for SharePoint Servers at risk from “ToolShell”.
  • The issues, CVE-2025-53370 and CVE-2025-53771, involve deserialization and spoofing vulnerabilities.
  • Patches are available for SharePoint Server Subscription Edition and SharePoint Server 2019.
  • Currently, there are no patches for SharePoint 2016 Server.
  • Administrators should implement the latest patches, activate AMSI, and change ASP.NET machine keys.
  • A scan by ShadowServer Foundation reveals 323 Internet-accessible SharePoint Servers in Australia.
  • Dutch security firm Eye has alerted about contemporary zero-day chains that do not require authentication.

Microsoft’s Crucial Security Action

In a significant effort to enhance cybersecurity, Microsoft has deployed urgent patches for two at-risk editions of its on-premises SharePoint Server, addressing severe issues that are currently being exploited by malicious actors. These vulnerabilities, referred to collectively as “ToolShell”, have generated substantial concern among IT professionals globally, especially in Australia.

Examining the ToolShell Vulnerability

The vulnerabilities, CVE-2025-53370 and CVE-2025-53771, pertain to serious deserialization and spoofing flaws that are being leveraged in remote code execution attacks. These security weaknesses enable attackers to run arbitrary code on compromised servers, representing significant risks for organizations that depend on SharePoint for collaboration.

Available Patches and Mitigation Tactics

Microsoft has made patches available for SharePoint Server Subscription Edition and SharePoint Server 2019. However, patches for SharePoint 2016 Server are presently unavailable, leaving certain organizations potentially vulnerable. Microsoft recommends that administrators utilize supported SharePoint versions and promptly apply the latest security updates.

Further mitigation steps include enabling the Anti-Malware Scan Interface (AMSI) with a suitable antivirus program and implementing endpoint protection strategies. Additionally, administrators should rotate the ASP.NET machine keys for SharePoint Server, either manually using PowerShell scripts or via Central Administration.

Widespread and Local Consequences

A scan conducted by the ShadowServer Foundation shows that the majority of SharePoint installations are located in the United States and Europe. In Australia, there are 323 Internet-visible SharePoint Servers, with 10 identified in New Zealand. While the scan does not specify the versions at risk, the information highlights the global scale of this security issue.

Professional Analysis and Comparisons

The Dutch security firm Eye has pointed out the parallels between the current vulnerabilities and those exploited in 2021. However, the latest exploits are more sophisticated, creating a modern zero-day chain that enables automatic shell installation, full persistence, and no authentication required. Eye Security warns that malicious payloads could be embedded and accepted as trusted input, completing the remote code execution loop without the need for credentials.

Conclusion

Microsoft’s urgent patches for SharePoint Servers target critical vulnerabilities that could have far-reaching effects if not addressed promptly. With the possibility of severe data breaches and operational disruptions, organizations must act quickly to implement these patches and enhance their cybersecurity stance. As the threat landscape evolves, maintaining vigilance and proactive approaches is crucial for protecting digital assets.

Questions & Answers

Q: What vulnerabilities do the patches address?

A: The patches fix CVE-2025-53370 and CVE-2025-53771, related to deserialization and spoofing vulnerabilities.

Q: Which versions of SharePoint have received patches?

A: Patches are accessible for SharePoint Server Subscription Edition and SharePoint Server 2019. There are no patches yet for SharePoint 2016 Server.

Q: What further actions should administrators take beyond applying patches?

A: Administrators should enable AMSI with an appropriate antivirus solution, implement endpoint protection, and rotate ASP.NET machine keys.

Q: How prevalent is the issue in Australia?

A: A scan has revealed 323 Internet-visible SharePoint Servers in Australia, representing a considerable presence and potential threat.

Q: Are these vulnerabilities akin to previous ones?

A: Yes, they bear similarities to exploits from 2021 but now create a more sophisticated zero-day chain without requiring authentication.

Q: What is Eye Security’s role in this context?

A: Eye Security has performed scans and provided insights regarding the current vulnerabilities, emphasizing the urgency for immediate action.

Posted by David Leane

David Leane is a Sydney-based Editor and audio engineer.

All Posts

Leave a Reply

Your email address will not be published. Required fields are marked *