Here’s a rewritten version of the provided text, focusing on clarity, conciseness, and a slightly more active voice where appropriate, while retaining all the key information:
Microsoft SharePoint Servers targeted in Widespread Cyberattack; Microsoft 365 Unaffected
A significant cyberattack is actively exploiting a newly discovered vulnerability in Microsoft SharePoint servers, leading to breaches in U.S. federal agencies and international partners. The Washington Post reported on Sunday that the U.S. government, along with Canada and Australia, is investigating the hack, which targets SharePoint’s document sharing and management capabilities. At least two U.S. federal agencies have confirmed their SharePoint servers were compromised.
The U.S. Cybersecurity and infrastructure Security Agency (CISA) has identified a backdoor, dubbed “ToolShell,” being installed on compromised servers. This backdoor grants attackers unauthenticated,remote access,allowing them to steal sharepoint content,access file systems and internal configurations,and execute code remotely.
Researchers at Eye Security first observed large-scale exploitation of the SharePoint flaw on July 18, 2025. they discovered dozens of compromised servers infected with ToolShell, noting that the attacks aimed to steal SharePoint server ASP.NET machine keys. “These keys can be used to facilitate further attacks, even at a later date,” Eye Security warned. They strongly advise affected organizations to rotate these keys and restart IIS on all SharePoint servers, emphasizing that patching alone is insufficient and immediate action is crucial due to the threat’s rapid spread.Microsoft has released updates for SharePoint Server Subscription Edition and SharePoint Server 2019. Though, the company is still developing patches for supported versions of sharepoint 2019 and SharePoint 2016.CISA recommends that vulnerable organizations enable the anti-malware scan interface (AMSI) in sharepoint, deploy Microsoft Defender AV on all SharePoint servers, and disconnect affected products from the public internet until official patches are available.
Security firm Rapid7 notes that Microsoft has linked the current vulnerability, CVE-2025-53770, to a previously patched flaw, CVE-2025-49704. CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2own hacking competition in May 2025, which also involved another sharepoint weakness, CVE-2025-49706. Microsoft had attempted to fix CVE-2025-49706 in its previous Patch Tuesday update but was unsuccessful.
Microsoft has also issued a patch for a related SharePoint vulnerability, CVE-2025-53771. While there are no reports of active attacks on CVE-2025-53771, Microsoft states the patch offers more robust protection than the update for CVE-2025-49706.
This is a developing story. Updates will be provided as they become available.
