Microsoft has issued an urgent alert regarding “active attacks” targeting its SharePoint server software, commonly used by government agencies and businesses for internal document sharing.
The company strongly recommends that customers immediately apply security updates to protect their systems.
Security researchers are sounding the alarm about a critical zero-day vulnerability (CVE-2025-53770), known as “ToolShell,” affecting Microsoft’s on-premises SharePoint servers.
This flaw specifically impacts on-premises versions of SharePoint Server 2016, 2019, and the Subscription Edition, which are used for document sharing.
The US tech giant has not confirmed which specific governments or businesses have been affected. However, it indicated that active attacks have compromised servers across various sectors.
Since 2023, Microsoft has been an official cloud partner to the Kenyan government, helping power critical services.
Read: Kenya Chooses Microsoft Azure for Cloud Services, But No “Exclusive” Package
SharePoint’s flaw has had a global effect, with the Washington Post claiming that attacks include European government agencies, a Brazilian university, a local government agency in Albuquerque, and an Asian telecommunications company.
Additionally, state officials in Arizona are reportedly collaborating with local and tribal entities to assess their exposure and share relevant information.
The FBI stated it’s aware of the attacks and is cooperating with its federal and private-sector partners. No additional information was offered.
SharePoint’s deep integration with other Microsoft services like Office, Teams, OneDrive, and Outlook means it holds a wealth of information that is valuable to attackers. A compromise of SharePoint effectively opens a gateway to the entire network.
SharePoint Online Not Affected
Microsoft confirmed active exploitation of the vulnerability on July 19 and has issued interim guidance as it works on a permanent fix. In a guideline notice, the company wrote,
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
It further added, “Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.”
Attackers are circumventing identity controls, including Multi-Factor Authentication (MFA) and Single Sign-On (SSO), to achieve privileged access. They are exploiting this vulnerability to deploy a malicious ASPX payload called “spinstall0.aspx.”
This payload extracts cryptographic machine keys from SharePoint. Once attackers have these keys, they can forge valid ViewState tokens, allowing them to maintain persistent access to the servers, even after security patches are applied.
According to Microsoft, SharePoint Online in Microsoft 365, the cloud-based version, remains unaffected by these attacks.
