Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks.
In May, during the Berlin Pwn2Own hacking contest, researchers exploited a zero-day vulnerability chain called "ToolShell," which enabled them to achieve remote code execution in Microsoft SharePoint.
These flaws were fixed as part of the July Patch Tuesday updates; However, threat actors were able to discover two zero-day vulnerabilities that bypassed Microsoft's patches for the previous flaws.
Using these flaws, the threat actors have been conducting ToolShell attacks on SharePoint servers worldwide, impacting over 54 organizations so far.
Emergency updates released
Microsoft has now rushed out emergency out-of-band security updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 that fix both the CVE-2025-53770 and CVE-2025-53771 flaws.
Microsoft is still working on the SharePoints 2016 patches and they are not yet available.
"Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706," reads a note in Microsoft advisories.
Microsoft SharePoint admins should install the following security updates immediately, depending on the version:
The KB5002754 update for Microsoft SharePoint Server 2019.
... continue reading