Cisco Talos Blog: ToolShell: Details of CVEs Affecting SharePoint Servers

Jul 21, 2025

—

Source URL: https://blog.talosintelligence.com/toolshell-affecting-sharepoint-servers/
Source: Cisco Talos Blog
Title: ToolShell: Details of CVEs Affecting SharePoint Servers

Feedly Summary: Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.

AI Summary and Description: Yes

**Summary:** The text discusses two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) affecting SharePoint Server versions, specifically highlighting their exploitation in the wild. It provides insights into Microsoft’s response, including security updates and recommended mitigations. This topic is highly relevant for professionals focused on infrastructure and information security, as it underscores the importance of addressing known vulnerabilities to maintain secure environments.

**Detailed Description:**

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 present significant risks to SharePoint Server environments. They are characterized as unauthenticated remote code execution vulnerabilities, allowing attackers to exploit systems without prior authentication.

– **Vulnerability Characteristics:**
– Both vulnerabilities allow remote code execution without the need for user authentication, making them particularly dangerous.
– They are related to previously identified vulnerabilities CVE-2025-49704 and CVE-2025-49706.

– **Microsoft’s Response:**
– Security updates have been released for multiple versions of SharePoint Server, although SharePoint Server 2016 remains vulnerable without a patch at this time.
– Microsoft recommends rotating machine keys for SharePoint Server to ensure data integrity, particularly if they believe the keys may have been compromised.

– **Guidance for Protection:**
– Users are encouraged to turn on the Antimalware Scan Interface (AMSI) and configure it properly with antivirus solutions.
– Microsoft has published patch details and mitigation guidance, emphasizing the importance of applying these updates to defend against exploitation attempts.

– **Cisco’s Involvement:**
– Cisco Talos has published detection signatures (Snort SIDs 65092 and 65183) to help identify exploitation attempts and related web threats.
– Cisco provides a suite of security tools including Cisco Secure Endpoint, Cisco Secure Email, Cisco Secure Firewall, and others, which can prevent, detect, and respond to threats arising from these vulnerabilities.

– **CISA’s Contribution:**
– The Cybersecurity Infrastructure Security Agency (CISA) has also given additional information and technical indicators about the exploitation activity targeting unprotected SharePoint servers.

**Key Implications for Security Professionals:**
– **Proactive Measures:** Organizations using SharePoint should prioritize applying the latest security updates and recommended mitigations to protect against these vulnerabilities.
– **Continuous Monitoring:** Implement monitoring solutions (like those offered by Cisco and other vendors) to detect any malicious activity related to these vulnerabilities.
– **Incident Response Preparation:** Ensure incident response plans are in place for responding to potential exploitation of these or similar vulnerabilities in the future.

In summary, understanding and addressing these vulnerabilities is critical for maintaining secure infrastructures and protecting sensitive data within SharePoint environments.

01 1 2 2025 3 4 5 53 7 a Act Agency AI alt and anti Antimalware Scan Interface antivirus antivirus solutions app art as at ated attack attackers authentication aware Bi by C CI CISA Cisco Cisco Secure Firewall Cisco Talos co code code execution compromised continuous continuous monitoring core critical CVE CVEs cyber cybersecurit Cybersecurity cybersecurity infrastructure D data data integrity de detection detection signatures e email end endpoint environment event execution exp exploit Exploitation face firewall focused for future g Gen Go guidance H high Highlight HR http HTTPS implications implications for security in incident incident response incident response plan incident response plans indicators information information security infrastructure infrastructure security infrastructures insights integrity Intel intelligence inter interface io Iron ite k Key keys known vulnerabilities l led Li low M mac machine machine keys making malicious activity malware measures Micro Microsoft Mila mitigation mitigations Monitor monitoring monitoring solutions multi N NGO no o of off on organization organizations oS OSINT other out Patch path traversal per point potential pre preparation pro proactive proactive measures professionals protection ps R rag RCE red release remote Remote Code Execution response Response Plan Risk risks Ro RoT RSA s sec secure secure environment secure environments secure infrastructure security security infrastructure security professionals security tool security tools security update security updates sensitive data server servers SHA SharePoint SharePoint Server SharePoint servers Sig signatures Sim Snort solutions source specific SSE structures subscription system systems T Tails Talos tech ted test text the threat threats Time to tool tools Tor TP turn two UI unauthenticated under up update updates US use user user authentication Users uth V vendor vendors version vulnerabilities vulnerability Ware web web threats Wi x z