Microsoft issues patches for “ToolShell” vulnerable SharePoint Servers

Patches for two vulnerable editions of Microsoft’s on-premises SharePoint Server collaboration tool are now available, with administrators urged to apply them immediately as threat actors actively exploit the “ToolShell” flaw.

The patches protect against the recently announced CVE-2025-53370 and CVE-2025-53771 deserialisation and spoofing vulnerabilities, known as “ToolShell”, which threat actors are using in remote code execution attacks.

Currently, security updates for Sharepoint Server Subscription Edition and SharePoint Server 2019 are available.

SharePoint 2016 Server patches are not available yet, Microsoft said.

Mitigation advice to protect against the attacks include using supported versions of SharePoint Server, and applying the latest patches for them, including the July 2025 security update.

Microsoft also said the Anti-Malware Scan Interface (AMSI) should be enabled and configured correctly with an appropriate anti-virus solution; using endpoint protection is also recommended by Microsoft.

Admins should also rotate the SharePoint Server ASP.NET machine keys as a final step, either manually with PowerShell script cmdlet, or through Central Administration.

A scan of Internet facing SharePoint Servers by the not-for-profit ShadowServer Foundation suggest that most installations of the collaboration application are in the United States and Europe.

At the time of publication, the ShadowServer Foundation scan lists 323 Internet visible SharePoint Servers in Australia, and 10 in New Zealand.

The ShadowServer scan does not look for vulnerable versions of the software.

Dutch security vendor Eye said its scans have found dozens of vulnerable and exploited SharePoint Servers.

Eye Security said the current vulnerabilities are similar to ones exploited in 2021, but now packaged into a modern zero-day chain, with automatic shell drop, full persistence and no authentication required.

“These payloads can embed any malicious commands and are accepted by the server as trusted input, completing the remote code execution chain without requiring credentials,” Eye Security wrote.