Critical Sharepoint security vulnerability: First patches are available
Microsoft has now released a patch, but attackers were not idle over the weekend. Dozens of SharePoint installations fell victim of "ToolShell"
Das Microsoft Visitor Center in Redmond, Washington.
(Image: dpa, Ted S. Warren/AP/dpa)
The serious "ToolShell" Sharepoint security vulnerability continues to keep Microsoft admins and security experts on their toes. The software company has now provided the first patches for the on-premise versions of its collaboration tool. However, administrators must take further measures to eliminate possible backdoors.
Microsoft has now provided updates for the two affected major versions Sharepoint Enterprise Server 2016 and Sharepoint Server 2019. The bug-fixed version Sharepoint Enterprise Server 2016 16.0.5508.1000 and Sharepoint Server 2019 16.0.10417.20027 are available on the company's help pages. Microsoft expressly points out that the ASP.Net "Machine Keys" must always be rotated after the update, which involves an IIS restart. The corresponding Powershell commandlets can be found on the ToolShell help pages. Microsoft's cloud offerings are not affected, only "on-premise" installations are at risk. Their admins should act immediately.
Videos by heise
The US cyber security authority CISA has also issued a warning about the vulnerability in its "Known Exploited Vulnerabilities Database" and has written its own overview article, which is essentially based on Microsoft's information. CISA instructions are binding for US authorities. The security company Eye Security provides a detailed analysis and timeline in its blog – according to which the exploitation of the vulnerability began in the night from July 18 to 19 and dozens of systems have been "downed".
Variant of Pwn2Own vulnerability
The vulnerability with the CVE-ID CVE-2025-53770 is a variant of the vulnerabilities CVE-2025-49706 & CVE-2025-49704 exploited on Pwn2Own Berlin, which allows remote takeover of the Sharepoint server with an HTTP request. As the German "Code White GmbH" demonstrates on X, it is sufficient to inject a system command in the right place. This allowed the previously unknown attackers to take over the systems and extract the "machine keys". With these it is possible to secure permanent access to the Sharepoint server.
(cku)
