Article Details

Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks. Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. In May, during the Berlin Pwn2Own hacking contest, researchers exploited a zero-day vulnerability chain called "ToolShell," which enabled them to achieve remote code execution in Microsoft SharePoint. These flaws were fixed as part of the July Patch Tuesday updates; However, threat actors were able to discover two zero-day vulnerabilities that bypassed Microsoft's patches for the previous flaws. Using these flaws, the threat actors have been conducting ToolShell attacks on SharePoint servers worldwide, impacting over 54 organizations so far. Emergency updates released Microsoft has now rushed out emergency out-of-band security updates for Microsoft SharePoint Subscription Edition and SharePoint 2019 that fix both the CVE-2025-53770 and CVE-2025-53771 flaws. Microsoft is still working on the SharePoints 2016 patches and they are not yet available. "Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706," reads a note in Microsoft advisories. Microsoft SharePoint admins should install the following security updates immediately, depending on the version: After installing the updates, admins need to rotate the SharePoint machine keys using the following steps: SharePoint admins can rotate machine keys using one of the two methods below: Manually via PowerShell To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet. Manually via Central Admin Trigger the Machine Key Rotation timer job by performing the following steps: It is also advised to analyze your logs and file system for the presence of malicious files or attempts at exploitation. This includes:  Microsoft has shared the following Microsoft 365 Defender query to check if the spinstall0.aspx file was created on your server. If the file exists, then a full investigation should be conducted on the breached server and your network to ensure the threat actors did not spread to other devices. Cloud Detection & Response for Dummies Contain emerging threats in real time - before they impact your business. Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.