The Cybersecurity and Infrastructure Security Agency (CISA) on July 20 flagged a new warning from Microsoft on exploitation of a SharePoint vulnerability (CVE-2025-53770).
“This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” CISA said.
“CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers,” the agency said.
“While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations,” CISA said.
The agency pointed network operators to a list of recommended actions to respond to the RCE compromise.
CISA’s July 20 alert followed Microsoft’s own customer guidance advisory issued on July 19.
The company said it was “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
“These vulnerabilities apply to on-premises SharePoint Servers only,” the company emphasized, adding that “SharePoint Online in Microsoft 365 is not impacted.”
Microsoft also pointed customers to a list of security updates and urged that “customers should apply these updates immediately to ensure they’re protected.”