kras99 - stock.adobe.com
Microsoft issues emergency patch for SharePoint vulnerability
The Microsoft SharePoint vulnerability only impacts on-premises SharePoint Server customers, who should apply the emergency patch as soon as possible to mitigate risk.
Microsoft has released an emergency patch for a critical SharePoint vulnerability, known as ToolShell, that is being actively exploited. The zero-day vulnerability only affects on-premises SharePoint servers and does not impact SharePoint Online.
The HHS Administration for Strategic Preparedness and Response, or ASPR, released an urgent advisory encouraging healthcare organizations to apply the patch as soon as possible.
The vulnerability, known as CVE-2025-53770, is a variant of a previously disclosed vulnerability, CVE-2025-49706.
"Unlike typical SharePoint exploits which require compromised credentials or insider access, ToolShell significantly lowers the barrier to entry for cybercriminals targeting enterprise networks," ASPR stated.
"This authentication bypass vulnerability requires no credentials and allows attackers to circumvent security controls and access protected APIs by simply manipulating HTTP headers."
Researchers at Eye Security first observed cyberthreat actors exploiting the remote code execution vulnerability on the night of July 18, 2025. The researchers scanned more than 8,000 SharePoint servers worldwide and discovered dozens of actively compromised systems.
"Our goal of scanning was clear: determine if the exploit was isolated or systemic. The answer came quickly and decisively: it was systemic," Eye Security stated. "Within hours, we identified dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access."
Eye Security is working with other firms to identify victims, which include universities, federal and state agencies and organizations in other sectors. Due to the widespread nature of this vulnerability, all organizations with on-site SharePoint servers should apply the patch, rotate machine keys and follow Microsoft's guidance.
"HHS recommends that all Healthcare and Public Health (HPH) sector partners review these vulnerabilities, search internal systems for indicators of compromise, and apply the appropriate mitigations," ASPR stated.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
