Governance & Risk Management,
Patch Management
Microsoft Rolls Out Emergency Patches for Authentication-Bypassing Attacks
In a concerning development, cybersecurity experts have reported that attackers are exploiting two zero-day vulnerabilities in on-premises Microsoft SharePoint installations. This activity allows for remote compromises of servers and the potential theft of cryptographic keys and sensitive data.
The ongoing attack campaign, identified as targeting a vulnerability chain referred to as ToolShell, enables unauthorized access to systems, effectively allowing malicious actors to exploit SharePoint content, file systems, and network execution capabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning regarding this situation in a recent alert.
This is classified as a high-severity threat, particularly affecting on-premises SharePoint installations in sectors such as government, education, and healthcare. Cloud environments appear to be unaffected. Michael Sikorski, CTO at Palo Alto Networks’ Unit 42, emphasized the urgent nature of the exploit, noting immediate risks to large organizations.
According to cybersecurity firm Eye Security, the campaign commenced on a Friday evening and escalated rapidly. By Saturday, attackers had managed to breach several servers and deploy a shell that extracted sensitive cryptographic materials, granting them extensive control over the systems.
Experts are advising organizations to treat their on-premises SharePoint systems as potentially compromised and to apply Microsoft patches immediately, should they be available. Additionally, organizations are encouraged to rotate cryptographic keys and monitor for indicators of compromise, mitigating risks of further breaches.
Charles Carmakal, CTO of Mandiant Consulting, highlighted the importance of assuming compromise for any SharePoint instance exposed to the internet prior to applying patches. He remarked that this incident is not merely a patching issue—comprehensive validation is required.
CISA has urged all organizations with affected systems to implement necessary mitigations or temporarily disconnect from public-facing services. An indication of the widespread nature of this attack includes reports of compromised systems across government and enterprise sectors internationally.
Microsoft has released emergency updates that promise enhanced protections against the two vulnerabilities addressed in earlier July patches, in addition to remedies for the newly discovered zero-day flaws. CISA has now included CVE-2025-53770, one of the newly discovered vulnerabilities, in its Known Exploited Vulnerabilities catalog, mandating federal civilian agencies to act swiftly.
As the FBI coordinates with both public and private sectors in response to these breaches, Microsoft has issued out-of-band security patches for affected SharePoint versions. The urgency to apply these updates cannot be overstated, as failure to secure systems could lead to persistent access by attackers and increased exploitation risks.
This situation underlines the necessity for organizations to adopt a proactive stance on cybersecurity, treating all potentially impacted SharePoint instances as compromised until cleared. As with many advanced persistent threats detailed in the MITRE ATT&CK framework, techniques such as initial access, persistence, and privilege escalation appear to be at play here, warranting rigorous review and response measures by business owners.
