When Microsoft urges its users to download a security update, it usually means two things:

1. A breach has already happened
2. Many more are still vulnerable

That’s exactly what happened on July 19, when Microsoft issued an urgent alert about two zero-day vulnerabilities.

At the time of writing:

On July 19 2025, Microsoft issued an urgent alert for two zero-day vulnerabilities affecting on-premises SharePoint servers, now tracked as CVE-2025-53770 and CVE-2025-53771, and collectively dubbed ToolShell. These vulnerabilities do not impact SharePoint Online but pose a severe risk to organizations running on-prem SharePoint instances.

1. CVE-2025-53770 enables unauthenticated remote code execution (RCE) by exploiting unsafe deserialization, allowing attackers to gain complete control of compromised servers. It carries a critical CVSS score of 9.8/10 and is already being actively exploited in global campaigns targeting government, telecom, and software sectors.
2. CVE-2025-53771 is a spoofing/path traversal vulnerability allowing attackers to bypass authentication via improper header validation. When chained with the first vulnerability, it enables the full ToolShell exploit chain.

The ToolShell attack chain has been used to:

1. Gain access, steal credentials, and in some cases, deploy ransomware
2. Extract sensitive cryptographic keys
3. Use in-memory payloads that evade traditional defenses by avoiding file-based artifacts

Researchers and Microsoft have identified three active attack clusters using evolving tactics and payloads to avoid detection. Microsoft has released emergency out-of-band patches for SharePoint Subscription Edition and 2019 (with 2016 patches pending). 

Security agencies urged immediate patching, key rotation, and enhanced endpoint monitoring.

In short, ToolShell is an evolving, active, and critical threat to on-prem SharePoint deployments.

By the time Microsoft’s alert went out, the first wave of breaches had already begun on July 18, with hackers planting shells that leaked sensitive key material. Even after patching, stolen keys could allow attackers to impersonate legitimate users, making this far more dangerous than a typical “update and you’re safe” incident.

In a comment to Security Boulevard, our CEO, Camellia Chan, shared, “No amount of patching or perimeter defense can guarantee safety when trust assumptions are baked into software architecture. Organizations need to embed protection directly in hardware to close the gap software alone can’t.”

Cybersecurity agencies in the U.S., Canada, and Australia warned that this is not a “patch-and-forget” problem. 

Experts recommend:

1. Patch immediately, but never assume you’re safe
2. Investigate for compromise both before and after updates
3. Harden defenses with zero-trust, hardware-level protections that detect and block threats in real time

The ToolShell campaign is a wake-up call for anyone running exposed on-premises systems. 

Read the full article on Security Boulevard here: https://securityboulevard.com/2025/07/hackers-exploiting-microsoft-flaw-to-attack-governments-businesses/

To learn more about how our solutions can support your cybersecurity strategy, drop us a message at [email protected], and let’s get started!