Microsoft released an emergency patch on July 20, 2025 to address a critical zero‑day vulnerability in on‑premises SharePoint Server (tracked as CVE‑2025‑53770), which had already been actively exploited in the wild. Dubbed “ToolShell,” the exploit chains earlier SharePoint flaws to enable unauthenticated remote code execution, allowing attackers to steal cryptographic machine keys and deploy persistent backdoors on compromised servers.

According to Microsoft and CISA advisories, the flaw affects only self‑hosted (on‑prem) SharePoint deployments—not the cloud‑based Microsoft 365 service—and the initial July 8 patch failed to fully remediate the issue. Multiple government agencies, universities, energy firms, and utilities were reportedly hit in a global campaign that began around July 18, prompting urgent recommendations to apply patches immediately, rotate keys, and disconnect vulnerable servers from the internet if necessary.

‍

Source: https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/