Microsoft releases emergency fixes for actively exploited SharePoint security flaws

Microsoft has released emergency patches for two remote code execution vulnerabilities in SharePoint. The CVE-2025-53770 and CVE-2025-53771 security flaws are addressed by KB5002768 and KB5002754.

The issue was discovered by security researchers back in May, when it was found that the vulnerability allows for RCE attacks dubbed ToolShell. Microsoft had tried to plug the security holes earlier in the month with the July Security Update, but this only partly addressed the problem – hence the need for the emergency, out-of-band patches.

Any security issue with SharePoint server software is concerning because of the environments in which it is used. This was especially true of the recently discovered vulnerabilities as they were being actively exploited; dozens of organizations around the world were affected.

Despite Microsoft’s effort to fix the problems with the regular security updates, two vulnerabilities remained. Tracked as CVE-2025-53770 and CVE-2025-53771, the vulnerabilities affect Microsoft SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016.

So far, Microsoft has been able to produce two emergency fixes – for SharePoint Subscription Edition and SharePoint 2019 – with a third still to come (for SharePoint 2016).

In a blog post about the patches, Microsoft says:

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.

The company provides links to the two updates that it currently has available, saying that a third is on the way:

• Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center

• Download Security Update for Microsoft SharePoint Server 2019 (KB5002754) from Official Microsoft Download Center

But simply installing the patches is not enough.

Microsoft also says that customer should ensure the Antimalware Scan Interface is turned on and configured correctly. This means enabling Full Mode and deploying Defender Antivirus. Additionally, Microsoft says to deploy Defender for Endpoint to detect and block post-exploit activity.

A final piece of advice offered by the company is to rotate SharePoint Server ASP.NET machine keys. Microsoft provides the following instructions:

Rotate SharePoint Server ASP.NET machine keys and restart IIS on all SharePoint servers.

1. Manually via PowerShell

To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet.

2. Manually via Central Admin

Trigger the Machine Key Rotation timer job by performing the following steps:

1. Navigate to the Central Administration site.
2. Go to Monitoring -> Review job definition.
3. Search for Machine Key Rotation Job and select Run Now.

After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.

If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.

We will continue to provide updates and additional guidance for our customers as they become available.

With the vulnerabilities being actively exploited, the importance of patching systems really cannot be overstated. This is not a threat to downplay or ignore, as Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks states to The Hacker News:

If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat. What makes this especially concerning is SharePoint's deep integration with Microsoft's platform, including their services like Office, Teams, OneDrive and Outlook, which have all the information valuable to an attacker. A compromise doesn't stay contained – it opens the door to the entire network.

An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available. A false sense of security could result in prolonged exposure and widespread compromise.

There is currently no information about when Microsoft intends to release the equivalent fix for SharePoint 2016, but as this is software that remains in used by large numbers of organizations, it will be given high priority.