Update: New version of Sharepoint 2016 fixes toolshell vulnerability
Microsoft is following up and is also releasing a patch for the 2016 edition of Sharepoint. Admins should install this immediately.
Following a tip-off from the US intelligence agency NSA, Microsoft has closed an explosive security gap in its Windows operating system.
(Image: dpa, Matthias Balk/dpa)
Further patches are now available for the critical vulnerability CVE-2025-53770, nicknamed "Toolshell". Microsoft has released an update for SharePoint Enterprise Server 2016 as well as for the English language packs of this and the 2019 edition. This patches all currently supported SharePoint versions – which was sorely needed: large-scale attack campaigns have been running for days.
The Microsoft Security Response Center (MSRC) maintains a detailed overview article on the toolshell vulnerability and announced the security updates there on Monday. The following updates are now available via Microsoft Update, the Microsoft Update Catalog or the Microsoft Download Center.
- SharePoint Server 2016: Update for KB5002760, Build 16.0.5513.1001
- SharePoint Server 2019: Update for KB 5002754, Build 16.0.10417.20037
- SharePoint Server Subscription Edition: Security update KB5002768, build 16.0.18526.20508
Videos by heise
The sentence is almost a cliché, but administrators of on-premises SharePoint servers should install the updates quickly. Attack campaigns are already underway and over 100 organizations have reportedly been compromised.
Rotate keys, keep an eye on servers
However, the update is not enough, as the SharePoint server could already have been successfully taken over by attackers. Microsoft is therefore urging additional measures:
- The anti-malware scan (AMSI) in SharePoint should be switched on and, if possible, "Full Mode" should be activated to fully scan HTTP requests.
- Microsoft Defender before Endpoint and Microsoft Defender Antivirus also help with specialized signatures such as "Exploit:Script/SuspSignoutReq.A" for detection and removal.
- The "machine keys" should definitely be replaced – otherwise attackers may be able to permanently execute their malicious code on the SharePoint server. Microsoft has published additional tips for this in its security notice.
The security company Eye Security maintains an extensive list of "Indicators of Compromise" in its blog article on the toolshell vulnerability. System administrators should not only keep an eye on suspicious file names, but also certain HTTP requests (such as POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx) and user agents. Security researcher Florian Roth also points out that these indicators could change with the next wave of attacks.
Older vulnerabilities not fully patched
The "Toolshell" vulnerability is a variant of two recently patched vulnerabilities from the "Pwn2Own" security competition , which took place in Berlin this year. In the FAQ for CVE-2025-53770, Microsoft admits that it did not do a thorough enough job of patching these vulnerabilities (CVE-2025-49704 and CVE-2025-49706): "Yes, the update [for the newer of the vulnerabilities] contains more robust protection measures than the update for [the older vulnerability]," the MSRC states.
(cku)
