1. News
  2. Microsoft Issues Patches for SharePoint Server Zero-Day Vulnerability; “Critical” to Rotate Server Keys

Microsoft Issues Patches for SharePoint Server Zero-Day Vulnerability; “Critical” to Rotate Server Keys

Microsoft announced a zero-day vulnerability for on-premises SharePoint servers on Saturday, July 19, 2025; the company has issued patches but customers should assume their networks have been breached and take appropriate action to mitigate fallout.

Jackie LeavittAleksander Hougen

Written by Jackie Leavitt (Editor at Large)

Reviewed by Aleksander Hougen (Co-Chief Editor)

Last Updated:

sharepoint-zero-day-vulnerability-featured-image

Services affected by the high-severity vulnerability include Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019 and Microsoft SharePoint Server 2016. Microsoft’s cloud-hosted SharePoint Online and Microsoft 365 are not affected.

The vulnerability has a severity rating of 9.8 out of a possible 10. Researches said any customer running on-premises SharePoint servers should assume their networks have been breached, according to Ars Technica

Hackers were able to breach SharePoint servers around the world, including U.S. federal and state agencies, universities, energy companies and more, according to The Washington Post

This “ToolShell” exploitation, labeled CVE-2025-53770, gives unauthenticated system access and “enables malicious actors to fully access SharePoint content, including file systems and internal configuration, and execute code over the network,” according to CISA, the U.S. Cybersecurity and Infrastructure Security Agency.

With access to the SharePoint servers, hackers could access passwords and sensitive data to connected services, such as Outlook email, Teams and more, according to Eye Security.

Most critically, the attack allowed hackers to gain access to server keys, which could allow them to regain entry again after the system is patched, which is why customers need to rotate server keys to prevent recurring access.

According to CISA spokesperson Marci McCarthy, a cyber research firm alerted CISA on Friday, July 18, of the on-premise SharePoint server vulnerability, and the agency immediately contacted Microsoft.

Microsoft’s guidance for customers to mitigate potential attacks from this vulnerability include the following steps:

  1. Use supported versions of on-premises SharePoint Server 
  2. Apply the latest security updates
  3. Deploy threat solutions, such as Microsoft Defender for Endpoint protection
  4. Turn on appropriate antivirus and antimalware solutions, such as the Antimalware Scan Interface (AMSI) and Defender Antivirus
  5. Rotate SharePoint Server ASP.NET machine keys

We will continue to report on this ongoing security concern as more information becomes available.

↑ Top