CISA has identified a new remote code execution vulnerability, CVE-2025-53770, affecting Microsoft SharePoint servers. This vulnerability allows unauthenticated individuals to access SharePoint systems. The exploitation technique, known as ToolShell, poses serious risks, allowing full access to file structures and configuration settings. CISA recommends immediate mitigation steps including configuring the Antimalware Scan Interface and monitoring for specific traffic. Organizations should disconnect vulnerable products from the internet if necessary and apply any forthcoming mitigations from CISA and Microsoft to prevent exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a newly identified remote code execution (RCE) vulnerability affecting on-premise Microsoft SharePoint servers.
Publicly referred to as "ToolShell," this exploitation technique grants unauthenticated actors full access to SharePoint systems, including file structures, internal configurations, and the ability to execute code remotely across networks.
To reduce the risk associated with CVE-2025-53770, CISA recommends organizations to configure the Antimalware Scan Interface (AMSI) in SharePoint.
Organizations unable to enable AMSI should disconnect affected public-facing products from the internet until official mitigations are released.
Collection
[
|
...
]