Microsoft has sounded the alarm over ongoing cyberattacks targeting its SharePoint server software, warning that systems across government agencies, banks, hospitals, and universities are now exposed to severe compromise.
The company confirmed that hackers are exploiting a flaw tracked as CVE-2025-53770—a zero-day vulnerability rated 9.8 out of 10 in severity. In simple terms, attackers don’t need passwords or insider access; they can remotely take over servers using this flaw.
The attack chain, which security researchers have labelled “ToolShell,” is alarmingly effective. It enables cybercriminals to circumvent identity protections, such as multi-factor authentication (MFA) and single sign-on (SSO).
According to Microsoft, at least 85 servers in 29 organisations globally have already been breached. Affected entities span sensitive sectors: government agencies, financial institutions, hospitals, and universities.
In a direct message to affected customers, Microsoft said: “We’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response.”
Here’s how the attack works. Hackers plant a malicious ASPX file, named examples include ‘spinstallo.aspx’, on target servers. Once in place, this file extracts machine key configurations, allowing attackers to forge tokens and execute arbitrary code.
The result is total control of the compromised system. They can steal cryptographic keys, embed backdoors for persistent access, and deploy further malware undetected.
For those unaware, SharePoint servers are widely used by corporations and governments to share documents internally. While Microsoft’s cloud-based SharePoint Online remains unaffected, its on-premises versions from 2016, 2019, and the Subscription Edition are dangerously exposed.
In plain terms, Microsoft is telling organisations: patch your servers now or risk being hijacked.
The company has issued July 2025 security updates and strongly advised enabling the Antimalware Scan Interface (AMSI) alongside Defender Antivirus. If enabling AMSI is not possible, Microsoft recommends disconnecting servers from the internet entirely until patches are applied.
Additionally, Microsoft recommends rotating ASP.NET machine keys and restarting IIS servers to block ongoing attacks.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated its response, adding CVE-2025-53770 to its Known Exploited Vulnerabilities catalogue. U.S. federal agencies have been ordered to patch their servers by July 21, 2025.
The FBI acknowledged the attacks in a brief statement on Sunday, saying it is “aware of the attacks and is working closely with its federal and private-sector partners,” but declined to provide further details.
What makes this breach more worrying is the sophisticated nature of the exploit. According to the initial disclosure by security experts at the Pwn2Own Berlin 2025 event, the ToolShell attack combines two additional vulnerabilities (CVE-2025-49706 and CVE-2025-49704), making it harder to detect and stop.
For organisations yet to patch, the advice is to isolate your servers or risk a full-scale breach.
Cybersecurity professionals globally now face a race against time to close the security gaps before more damage is done.
