Critical SharePoint zero-day exploited in global attacks — no patch yet for 2016

July 21, 2025

A critical zero-day in Microsoft SharePoint Server is being actively exploited in global cyberattacks, affecting at least 54 organizations across multiple sectors. Tracked as CVE-2025-53770, the flaw has a severity score of 9.8 and currently has patches for later versions but no patch is available for the 2016 version. Attackers can execute code remotely without authentication.

The campaign began around July 18 and is targeting on-premises SharePoint installations. Victims include government agencies, banks, and multinational corporations across the U.S., Europe, and Asia. Microsoft confirmed the attacks over the weekend and says it’s working on an emergency update.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalogue on Sunday. Federal agencies have been ordered to apply mitigations by Monday. Dutch cybersecurity firm Eye Security, which first identified the exploit, says the threat actors are still launching mass attacks.

Dubbed “ToolShell” by researchers, the bug is linked to Microsoft’s earlier CVE-2025-49706, a spoofing issue patched in July. ToolShell exploits deserialization of untrusted data in SharePoint, allowing attackers to install web shells, steal cryptographic keys, and forge tokens for persistent access. Microsoft advises enabling Antimalware Scan Interface (AMSI) and Defender Antivirus, or disconnecting affected servers from the internet. SharePoint Online is not impacted.

Top Stories

Related Articles

June 26, 2026 Meta's chief technology officer says employee morale has fallen to one of the lowest levels in the more...

June 23, 2026 Ontario residents will soon be able to place a free lock on their credit files to help more...

June 22, 2026 Most projects flounder when sponsors are absent, hiding, or unsure of their role. Project managers and teams more...

June 22, 2026 Artificial intelligence pioneer Yann LeCun says Elon Musk's xAI is unlikely to compete at the leading edge more...

Picture of Jim Love

Jim Love

Jim Love's career in technology spans more that four decades. He's been a CIO and headed a world wide Management Consulting practice. As an entrepreneur he built his own tech business. Today he is a podcast host with the popular tech podcasts Hashtag Trending and Cybersecurity Today with over 14 million downloads. As a novelist, his latest book "Elisa: A Tale of Quantum Kisses" is an Audible best seller. In addition, Jim is a songwriter and recording artist with a Juno nomination and a gold album to his credit. His music can be found at music.jimlove.com
Picture of Jim Love

Jim Love

Jim Love's career in technology spans more that four decades. He's been a CIO and headed a world wide Management Consulting practice. As an entrepreneur he built his own tech business. Today he is a podcast host with the popular tech podcasts Hashtag Trending and Cybersecurity Today with over 14 million downloads. As a novelist, his latest book "Elisa: A Tale of Quantum Kisses" is an Audible best seller. In addition, Jim is a songwriter and recording artist with a Juno nomination and a gold album to his credit. His music can be found at music.jimlove.com

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn