Discovered: July 14th, 2025
Impacted Tech: Microsoft SharePoint Servers (on-premises, e.g., MS SharePoint Server 2019 and Subscription Edition; patch for 2016 pending)
Summary:
A critical unauthenticated remote code execution (RCE) vulnerability chain – referred to as “ToolShell” – is being actively exploited in the wild. CVE‑2025‑49706 and CVE‑2025‑49704 allow attackers to bypass authentication and execute arbitrary code within the SharePoint web application process. Exploitation impacts not only SharePoint, but potentially connected services such as OneDrive, Outlook, and Teams due to shared credentials.
Verify Exposure:
These vulnerabilities apply to on-premises SharePoint Servers only.
The risk is critical for internet-exposed SharePoint servers – systems directly accessible from outside the network perimeter.
Interim Mitigation Measures:
- Use or upgrade to supported versions of on-premise MS SharePoint Server (2016, 2019, Subscription Edition).
- Download and apply the latest security updates (2019 and Subscription Edition). SharePoint 2016 remains unpatched – until a fix is released, it is recommended to take affected systems offline or block external access via network controls.
- Configure AMSI integration in SharePoint, Deploy MS Defender for Endpoint, and rotate SharePoint Server ASP.NET machine keys
Urgency: This unauthenticated RCE chain is being actively exploited and poses a high risk to externally facing SharePoint servers. Successful compromise may result in complete takeover of SharePoint and extended access to connected Microsoft services.
Additional Resources:
Microsoft Blog – Customer guidance for SharePoint vulnerability CVE-2025-53770
Bleeping Computer – Microsoft SharePoint zero-day exploited in RCE attacks, no patch available TechCrunch – New zero-day bug in Microsoft SharePoint under widespread attack
Vulnerability Alert 