Microsoft has issued a high-severity security alert affecting on-premises deployments of SharePoint Server. A newly identified vulnerability, CVE-2025-53770, is being actively exploited in the wild as part of a large-scale cyberattack campaign targeting enterprise environments.
What’s Happening?
A critical flaw in how SharePoint handles incoming data allows attackers to remotely execute malicious code. This vulnerability is part of an exploit chain researchers are calling “ToolShell”, which combines multiple known vulnerabilities:
- CVE-2025-49704 (CVSS 8.8) – Arbitrary code execution via insecure deserialization
- CVE-2025-49706 (CVSS 6.3) – Privilege escalation component
- CVE-2025-53770 – Newly discovered zero-day (CVSS 9.8)
These vulnerabilities allow unauthorized, remote access to affected servers—posing a critical threat to enterprise data and operations.
Who Is Affected?
- Not Impacted: Microsoft SharePoint Online (cloud-based)
- Impacted: On-premises SharePoint Server deployments
Recommended Actions
If your organization uses on-prem SharePoint Server, act immediately:
- Apply Microsoft’s latest security updates and patches
- Audit SharePoint access logs and look for anomalies
- Review firewall and network segmentation policies
- Coordinate with your internal security team or managed service provider (MSP)
Our Commitment
Cyberthreats are growing in scale and complexity. At HHW Group, we are committed to keeping enterprises informed and protected. If you need guidance assessing your risk or securing your environment, please reach out to our cybersecurity team.
Stay Secure. Stay ahead. – HHW Group Security Operations
