Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)

CISA is tracking active exploitation of CVE-2025-53770, a new remote code execution vulnerability impacting on-premise SharePoint servers. This variant of CVE-2025-49706—publicly known as “ToolShell”—allows unauthenticated attackers to access SharePoint content, internal configurations, and execute code remotely. Organizations should assess exposure and take action.

Who is affected: Organizations running on-premise Microsoft SharePoint servers—especially those not fully patched or lacking network segmentation—are at high risk. This includes:

• Enterprises with internal SharePoint collaboration portals

• Government agencies using on-premise deployments for sensitive documentation

• Healthcare, legal, and financial sectors, where internal document management is critical

• SMBs that self-host SharePoint without dedicated patch management

Why it matters: The “ToolShell” exploit (CVE-2025-53770) allows unauthenticated remote code execution, which means attackers don’t need credentials to access SharePoint, steal data, or move laterally across your environment.

CISA recommends the following actions to reduce the risks associated with the exploitation of vulnerable Sharepoint servers: 

• Isolate any potentially affected systems and review them for indicators of compromise. 

• Install the latest Security patches available, including any emergency patches released in response to CVE-2025-53770. As of the time this article was being written, emergency patches are available for:

  • Microsoft SharePoint Server Subscription Edition - Patched in Build 16.0.18526.20508 (Update KB5002768)

  • Microsoft SharePoint Server 2019 - Patched in build 16.0.10417.20037 (KB5002754).

  • Microsoft Sharepoint Server 2016 - Patched in build 16.0.5513.1001 (KB5002760)

• Review IIS logs for suspicious POST requests to  “/_layouts/15/ToolPane.aspx?DisplayMode=Edit” indicating potential CVE-2025-53770 exploitation. 

• Review available logging for the presence of the IPs 107.191.58[.]76, 104.238.159[.]149, or 96.9.125[.]147, particularly between July 18-19, 2025.

• Update intrusion prevention system and web application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.

• Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.

Immediate Next Steps: Proactive & Reactive

Patch Immediately Ensure all SharePoint servers are updated with the latest security patches from Microsoft addressing CVE-2025-53770 and its variant CVE-2025-49706.

Review Sharepoint systems for IOCs

Perform a forensic review of any potentially affected systems to determine if they have been compromised due to the vulnerability. Take remediation steps in response as appropriate, including engaging SIRP if IOCs are detected.

Rotate Sharepoint Machine Keys

Pondurance has observed exploitation activity targeting Sharepoint Machine Keys, which would allow for continued access to the Sharepoint environment post-patch. Organizations should proactively rotate their Sharepoint machine keys.

Restrict Network Access Limit SharePoint server access to internal networks or through VPN only. Avoid exposing them directly to the internet.

Monitor for IOCs Look for signs of ToolShell activity, such as unexpected PowerShell execution, new services, or suspicious outbound traffic from SharePoint servers.

Implement EDR/XDR Deploy Endpoint Detection & Response tools on SharePoint servers to monitor for any signs of lateral movement or post-exploitation activity.

Review Logs & Configurations Audit access logs, service accounts, and privileges to ensure compliance with relevant regulations and ensure the security of sensitive information. Look for anomalies and disable unnecessary features or services.

Pondurance Protective Actions Taken (MDR Service):

• Pondurance has added IPs known to have engaged in the exploitation of this vulnerability to our Blocklist for clients who subscribe to it. If you are not currently subscribed to it and are interested, please reach out to us via Scope for assistance.

• Pondurance has also developed Process and HTTP-related detections for identifying exploitation and post-exploitation behavior related to this vulnerability that may have been successful for clients who send us those logs.

• Pondurance has also deployed Endpoint detections to SentinelOne for our managed clients on the Complete tier as well as to CrowdStrike our managed clients.

Authors:

Nate Hall is a senior cybersecurity executive with over a decade of experience specializing in Digital Forensics and Incident Response (DFIR), serving clients across insurance, private equity, and Fortune 100 sectors. He has a proven track record of driving revenue growth, scaling incident response programs, and building high-performing technical teams equipped to handle complex and high-stakes cyber events. Trusted by legal counsel, insurers, and enterprise executives alike, Nate excels at advising stakeholders through crises while ensuring alignment between cybersecurity initiatives and broader business objectives. His expertise encompasses risk management, compliance, governance, and the development of robust security strategies that protect critical organizational assets.

Riley Stauffer is a Principal Incident Response Consultant with over 12 years of experience in cybersecurity. The first six years of his career were spent serving in the United States Navy, where he operated as a Network Intelligence Analyst supporting both the National Security Agency (NSA) and United States Cyber Command. During that time, he was assigned to a Cyber Protection Team focused on defending critical Department of Defense (DoD) networks. Over the past six years, Riley has led and executed a wide range of Digital Forensics and Incident Response (DFIR) engagements, including nation-state intrusions, ransomware attacks, business email compromises, insider threats, and complex network intrusions.

Will Gadzinski is the Director of the Pondurance Digital Forensics and Incident Response team, where he has led numerous investigations into ransomware incidents, data theft, extortion, and more. From spending the majority of his career in the Aerospace sector, Will is familiar with the unique balance that an organization must achieve to preserve operational mission requirements while maintaining confidence in their security posture. In his previous role as a Security Analyst, Will led incident response and forensics on some of the most notable cyber events in recent times at NASA’s Langley Research Center. Will has a Bachelor of Science in Intelligence Analysis from James Madison University.