Microsoft SharePoint Server emergency security update now available.
Every security team’s nightmare came true over the weekend: a global zero-day Microsoft server exploit without a patch. What’s more, one that enables the attackers to execute code remotely, bypass identity protections such as multi-factor authentication and access system files before moving across the Windows domain. The servers in question are on-premises Microsoft SharePoint Server installations, and the critical exploit detailed as CVE-2025-53770. Late on Sunday July 20, Microsoft issued an emergency security update, but this alone is not, security researchers have warned, enough to fully stop the threat itself. Here’s what you need to know and do, right now.
Microsoft Confirms Global SharePoint Server Hack Attack — Issues Emergency Security Update
CVE-2025-53770 is a newly discovered, critical, SharePoint Server zero-day exploit that is impacting Microsoft customers on a global scale, according to the Eye Research team behind the disclosure. The immediate impact of the exploit has been felt by those deploying on-premises, rather than SharePoint Online in Microsoft 365, SharePoint Server installations. Reports suggest that government users, hospitals and educational facilities, along with large enterprises, are most at risk.
As I reported July 20, the ToolShell critical vulnerability, being exploited on a truly massive and ongoing scale, enables hackers to gain access to, and control of, on-premises SharePoint servers without authentication. As SharePoint is often connected to core services such as Microsoft Outlook, Teams, and OneDrive, the attacks can lead directly to password harvesting and data theft.
Microsoft verified the critical exploit and ongoing attacks in a July 20 posting, and has now updated this to confirm that an emergency security patch has been made available. “Customers should apply these updates immediately to ensure they’re protected,” Microsoft said.
Unfortunately, just applying the security update is unlikely to “fully evict” the threat itself, as the Eye Research team warned that the theft of cryptographic keys means that the hackers can continue to impersonate users and services “even after the server is patched.”
Microsoft has now confirmed that following deployment of the emergency security update, “it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers”
This post was created with our nice and easy submission form. Create your post!
