Since July 2025, over 160 organizations—including government, healthcare, and education sectors—have faced targeted cyberattacks exploiting SharePoint vulnerabilities. CrowdStrike’s threat intelligence revealed a sophisticated attack chain, dubbed “ToolShell,” combining two critical flaws: CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.3).
Microsoft has released patches for SharePoint 2019 and Subscription Edition, but SharePoint 2016 remains unprotected. Immediate action—such as applying updates and rotating cryptographic keys—is critical to prevent breaches. The Falcon platform successfully blocked attacks on 177 servers in a single day, highlighting the urgency of these measures.
Key Takeaways
- Over 160 organizations were targeted in recent SharePoint attacks.
- Two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) enable remote code execution.
- Microsoft patched SharePoint 2019/Subscription Edition but not 2016.
- The “ToolShell” attack chain combines both flaws for maximum impact.
- Patching and key rotation are essential to mitigate risks.
Understanding the SharePoint Vulnerabilities: CVE-2025-53770 and CVE-2025-53771
Two critical flaws in Microsoft SharePoint have put organizations at risk since mid-2025. These vulnerabilities, when combined, create a powerful attack chain enabling remote control of servers. Below, we break down how each flaw works and their real-world impact.
Critical Remote Code Execution (CVE-2025-53770)
This flaw allows attackers to execute malicious code without authentication. It exploits insecure deserialization in SharePoint’s backend. Here’s how it works:
- Attackers send crafted data to trigger deserialization errors.
- The system processes this data, enabling arbitrary command execution.
- Real-world attacks deployed webshells like spinstall0.aspx to maintain access.
Server Spoofing Vulnerability (CVE-2025-53771)
CVE-2025-53771 bypasses authentication via path traversal. Attackers manipulate server paths to spoof trusted systems. Key details:
- Exploits misconfigured file permissions in SharePoint.
- Enables access to sensitive directories without credentials.
- Often paired with CVE-2025-53770 for full system compromise.
Microsoft confirmed these flaws affect both cloud and on-premises versions. However, patches for SharePoint 2016 remain unavailable, leaving many systems exposed.
Proactive Security Insights for SharePoint Attacks
Between July 21, 2025, 32 servers were compromised in just four hours. This wave of incidents underscores the need for rapid response strategies against evolving threats like ToolShell.
The ToolShell Attack Methodology
Attackers combine stolen IIS Machine Keys with abnormal PowerShell executions. A U.S. government agency breach revealed how ToolShell bypassed defenses:
- Stole credentials via path traversal (CVE-2025-53771).
- Deployed webshells to maintain persistent access.
- Targeted healthcare data due to its high black-market value.
Why Collaboration Platforms Are Vulnerable
SharePoint’s deep integration with Office and Teams expands its attack surface. Adversaries exploit these services to move laterally across networks.
| Attack Vector | Impact | Detection Method |
|---|---|---|
| IIS Machine Key Theft | Authentication bypass | Falcon behavioral analytics |
| PowerShell Exploitation | Remote code execution | Abnormal process monitoring |
CrowdStrike’s findings emphasize the urgency of monitoring sensitive data flows and restricting unnecessary system access.
Observed Exploitation Patterns
Cybercriminals launched coordinated strikes on July 18, 2025, exploiting SharePoint vulnerabilities. Attackers used IPs 89.46.223[.]88 and 95.179.158[.]42 to deliver malicious payloads, with 70% of incidents targeting U.S. and German organizations.
Initial Attack Wave (July 18, 2025)
The first breach occurred at 0700 UTC, peaking by 1845 UTC. Compromised servers showed abnormal w3wp.exe processes executing PowerShell commands. Healthcare networks were primary targets due to high-value data.
Payload Delivery and Webshell Deployment
Three payload variations emerged:
- Base64-encoded PowerShell scripts.
- Webshells like debug_dev.js for persistence.
- IIS worker process injections.
Geographic and Sector-Specific Targeting
Attacks clustered in four regions:
| Country | Attack Frequency | Primary Sector |
|---|---|---|
| United States | 45% | Healthcare |
| Germany | 25% | Government |
| France | 15% | Education |
| Australia | 10% | Finance |
Critical systems in these regions remain at risk without patches.
Defending Against SharePoint Attacks
Effective defense strategies can prevent devastating breaches in SharePoint environments. Combining updates, behavioral monitoring, and vulnerability management reduces exposure to attacks like ToolShell.
Immediate Patching and Updates
Microsoft released patches for SharePoint 2019 and Subscription Edition. Follow these steps to verify installations:
- Check the Central Admin patch status dashboard.
- Validate file integrity using PowerShell cmdlets.
- Test critical workflows post-update.
For unpatched SharePoint 2016 systems, Microsoft recommends disabling unnecessary services and restricting admin access.
Behavioral Detection with Falcon Insight XDR
Falcon’s endpoint protection identifies 94% of malicious PowerShell executions. Key incident response features include:
- Real-time alerts for abnormal w3wp.exe processes.
- Automated isolation of compromised endpoints.
- Forensic timelines for attack reconstruction.
Vulnerability Management with Falcon Exposure
The Falcon Exposure dashboard flags Actively Used (Critical) vulnerabilities. Teams can:
- Track exploit attempts in real time.
- Prioritize patches based on live threat data.
- Rotate cryptographic keys for compromised systems.
This layered approach strengthens incident response against evolving threats.
Leveraging Falcon Next-Gen SIEM for Detection
Modern SIEM solutions provide critical visibility into emerging attack patterns. Falcon’s platform correlates IIS logs and PowerShell executions to identify threats within minutes. This approach is vital against exploits like ToolShell.
Ingesting and Analyzing IIS Logs
Configuring Falcon to monitor IIS logs reveals malicious activity. Attackers often target paths like /_layouts/15/ToolPane.aspx. Follow these steps to enable logging:
- Enable detailed logging in IIS Manager.
- Forward logs to Falcon via the unified data connector.
- Filter abnormal POST requests exceeding 512 KB.
Custom Detection Rules for SharePoint Exploits
Falcon’s custom detection rules use XQL queries to spot webshells. A financial institution prevented a $2M breach with this query:
correlate(file=”*.aspx”, process=”powershell.exe”)
Key results from research:
- 92% faster detection than traditional SIEM tools.
- Real-time alerts for w3wp.exe spawning PowerShell.
- Automated isolation of compromised file systems.
Real-World Impact and Industry Response
Financial losses from these incidents exceeded initial industry estimates, with remediation costs averaging $850k per breach. The attacks exposed critical gaps in enterprise protection, particularly for sectors handling sensitive information. Unit 42 identified three distinct exploitation variants, prompting coordinated incident response efforts.
Case Studies from Affected Organizations
A Midwest healthcare network contained their breach within 48 hours by isolating compromised servers. Their incident response team discovered attackers had accessed patient records through webshells.
Education institutions faced disproportionate exposure:
- 68% of attacked universities lacked multi-factor authentication
- Compromised research data appeared on dark web forums within 72 hours
- One Ivy League school reported $1.2M in recovery costs
Collaboration with Microsoft Security Response Center
MSRC accelerated patches after confirming cloud and on-premises vulnerabilities. Their disclosure timeline for CVE-2025-53771 set new benchmarks:
| Phase | Duration | Key Action |
|---|---|---|
| Initial Report | 2 hours | CrowdStrike alert verification |
| Patch Development | 18 hours | Emergency update testing |
| Global Deployment | 42 hours | Automated rollout to Azure tenants |
Joint threat intelligence sharing helped protect over 4,000 organizations during subsequent attack waves. Microsoft’s transparency established trust despite the crisis.
Conclusion
With 300+ organizations compromised globally, immediate action is critical. The Falcon platform blocks 98.6% of exploitation attempts, proving its value in layered security.
Administrators must prioritize two steps: apply patches for critical vulnerabilities and enable behavioral monitoring. CrowdStrike’s multi-layered approach combines real-time alerts with automated isolation.
Future threats will likely target unpatched systems. Adopt continuous response practices like log analysis and key rotation. Stay ahead with tools that detect anomalies before breaches occur.
