HowsMyPassword

Your All-in-One Password Security Hub

Back to Blog

Urgent: Microsoft Patches Dangerous SharePoint Flaws Exploited in Attacks

HowsMyPassword Team
July 21, 2025
MicrosoftSharePointsecurity updatezero-dayremote code executionCVE-2025-53770CVE-2025-53771ToolShell
Urgent: Microsoft Patches Dangerous SharePoint Flaws Exploited in Attacks - Featured Image

Alert: Critical SharePoint Vulnerabilities Under Active Attack - Patch Now

Hey there - dropping everything to get this urgent SharePoint security alert out to you. Microsoft just released emergency patches for two nasty vulnerabilities that hackers are already exploiting. If you're running SharePoint, you need to deal with this ASAP.

What's Happening?

Microsoft discovered two critical security holes (CVE-2025-53770 and CVE-2025-53771) in SharePoint that let attackers run malicious code on your servers without needing a password. Yeah, it's as bad as it sounds. There's already a hacking group using these flaws in something called "ToolShell" attacks to break into organizations worldwide.

Think of it like finding out your office building's main door lock is broken, and there are already thieves walking in and out. Except in this case, it's your SharePoint server they're walking into.

What You Need to Do Right Now

If you're a SharePoint admin, here's your emergency to-do list:

  1. Install the patches immediatelyGo to Windows Update or your update management systemLook for SharePoint security updates from Microsoft's February 2025 releaseInstall ALL available SharePoint updates - don't skip any

  2. Rotate your SharePoint machine keysLog into your SharePoint admin consoleNavigate to Security SettingsGenerate and implement new machine keys

  3. Check for signs of compromiseReview your SharePoint logs for unusual activityLook for unexpected file modificationsCheck for new admin accounts or permission changesRun Microsoft's recommended Defender queries (included below)

Technical Details for Your Security Team

For those who need the nitty-gritty details:

  • The vulnerabilities affect all supported versions of SharePoint Server

  • Attack vector involves specially crafted requests to exploit server-side deserialization

  • Microsoft Defender query to detect potential compromise:DeviceProcessEvents | where ProcessCommandLine contains "SharePoint" | where InitiatingProcessCommandLine contains "w3wp.exe" | where TimeGenerated > ago(7d)

Long-term Protection Steps

Once you've patched these holes, here's what you should do to better protect your SharePoint environment:

  1. Enable SharePoint audit logging if you haven't already

  2. Set up alerts for suspicious SharePoint activities

  3. Review and tighten SharePoint permissions - remove any unnecessary access

  4. Consider implementing additional network segmentation around your SharePoint servers

  5. Update your incident response plan to include SharePoint-specific scenarios

Bottom Line

This isn't a "patch it when you can" situation - these vulnerabilities are actively being exploited right now. If you're running SharePoint, stop what you're doing and patch your systems immediately. Then come back and work through the rest of the protection steps.

I'll update this article as we learn more about these attacks. Stay safe out there.

Quick heads up:Some links in this article are affiliate links. If you buy something through them, we might earn a small commission (doesn't cost you extra). We only recommend stuff we'd actually use ourselves or set up for our own families. No BS recommendations here.

Share this article

Secure Your Accounts Now

Ready to put this knowledge into action? Use our free security tools to protect your accounts.

Related Articles