The company confirmed that hackers are exploiting a flaw tracked as CVE-2025-53770—a zero-day vulnerability rated 9.8 out of 10 in severity. In simple terms, attackers don’t need passwords or insider access; they can remotely take over servers using this flaw.

The attack chain, which security researchers have labelled “ToolShell,” is alarmingly effective. It enables cybercriminals to circumvent identity protections, such as multi-factor authentication (MFA) and single sign-on (SSO). 

According to Microsoft, at least 85 servers in 29 organisations globally have already been breached. Affected entities span sensitive sectors: government agencies, financial institutions, hospitals, and universities.

In a direct message to affected customers, Microsoft said: “We’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response.”

Here’s how the attack works. Hackers plant a malicious ASPX file, named examples include ‘spinstallo.aspx’, on target servers. Once in place, this file extracts machine key configurations, allowing attackers to forge tokens and execute arbitrary code. 

The result is total control of the compromised system. They can steal cryptographic keys, embed backdoors for persistent access, and deploy further malware undetected.

For those unaware, SharePoint servers are widely used by corporations and governments to share documents internally. While Microsoft’s cloud-based SharePoint Online remains unaffected, its on-premises versions from 2016, 2019, and the Subscription Edition are dangerously exposed.

In plain terms, Microsoft is telling organisations: patch your servers now or risk being hijacked.

The company has issued July 2025 security updates and strongly advised enabling the Antimalware Scan Interface (AMSI) alongside Defender Antivirus. If enabling AMSI is not possible, Microsoft recommends disconnecting servers from the internet entirely until patches are applied.

Additionally, Microsoft recommends rotating ASP.NET machine keys and restarting IIS servers to block ongoing attacks.

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated its response, adding CVE-2025-53770 to its Known Exploited Vulnerabilities catalogue. U.S. federal agencies have been ordered to patch their servers by July 21, 2025.

The FBI acknowledged the attacks in a brief statement on Sunday, saying it is “aware of the attacks and is working closely with its federal and private-sector partners,” but declined to provide further details.

What makes this breach more worrying is the sophisticated nature of the exploit. According to the initial disclosure by security experts at the Pwn2Own Berlin 2025 event, the ToolShell attack combines two additional vulnerabilities (CVE-2025-49706 and CVE-2025-49704), making it harder to detect and stop.

For organisations yet to patch, the advice is to isolate your servers or risk a full-scale breach.

Cybersecurity professionals globally now face a race against time to close the security gaps before more damage is done.

The update, intended to fix a longstanding vulnerability in the GRUB boot loader used by Linux distributions, was not supposed to affect devices configured to dual-boot both operating systems. However, users have reported that their Linux installations are now unable to boot properly. 

The patch, released as part of Microsoft’s regular security updates, aimed to address a vulnerability in Secure Boot, a technology designed to prevent malicious firmware from loading during the boot process. 

The flaw had been identified two years ago, but Microsoft only recently issued a fix. Secure Boot is an essential feature in both Windows and many Linux distributions, ensuring that only trusted software can be executed during startup. 

The vulnerability allowed attackers to bypass Secure Boot protections by exploiting weaknesses in GRUB, the widely-used Linux boot loader.

Despite assurances from Microsoft that the update would not impact dual-boot systems, users across various online forums have reported encountering error messages such as “Security Policy Violation” and “Something has gone seriously wrong” when attempting to boot into Linux. 

Affected distributions include popular ones like Ubuntu, Debian, Linux Mint, Zorin OS, and Puppy Linux. The problem appears to stem from Microsoft’s implementation of the Secure Boot Advanced Targeting (SBAT) update, which was intended to block vulnerable Linux boot loaders to enhance Windows security.

Microsoft has yet to officially acknowledge the problem or provide a solution, leaving users searching for workarounds. Some have found temporary fixes by disabling Secure Boot in their system’s BIOS settings, while others have resorted to deleting the SBAT policy from their Linux installations. 

However, these solutions may not be suitable for all users, particularly those who rely on Secure Boot for security purposes.