Patch your SharePoint, or it’ll patch you
Microsoft has rushed out emergency patches for CVE‑2025‑53770, a critical (CVSS 9.8) remote‑code‑execution flaw in on‑premises SharePoint Server. The bug, triggered by unsafe deserialisation in the machineAccountCheck function, is already being weaponised in the wild—at least 54 organisations have been hit, including banks, universities and government bodies. A related spoofing hole, CVE‑2025‑53771, was also fixed. The exploits, dubbed ToolShell, let attackers bypass identity controls, steal data and plant backdoors. SharePoint Online is safe, but all on‑prem versions prior to 4.3.11 (2016, 2019, Subscription Edition) must be updated. Admins are urged to patch now, rotate machine keys, enable AMSI, and consider pulling SharePoint off the internet until fully remediated. CISA has added CVE‑2025‑53770 to its KEV list with a 21 July 2025 deadline for US federal agencies.
Microsoft has lobbed a fire‑drill update at anyone still running SharePoint Server on‑prem, fixing a nasty bug that crooks are already poking with a sharp stick.
What’s the damage?
• CVE‑2025‑53770 scores a sweaty‑palms 9.8/10 and lets strangers run code on your server simply by sending poisoned data.
• A sidekick flaw, CVE‑2025‑53771, adds a spoofing cherry on top.
• Cloud‑hosted SharePoint in Microsoft 365? Relax. This one’s strictly an on‑prem fiasco.
Who’s being clobbered?
Banks, universities, even government departments—at least 54 so far. Palo Alto’s Unit 42 says if your SharePoint faces the open internet you should “assume compromise” and start incident response yesterday.
The quick‑fix menu
1. Install version 4.3.11 or later—no excuses.
2. Rotate those ASP.NET machine keys and restart IIS.
3. Turn on AMSI plus decent anti‑virus.
4. Still nervous? Yanking SharePoint’s plug from the internet is a perfectly respectable short‑term diet.
Remember: a compromised SharePoint isn’t just a dusty document store; it’s the key to Teams, OneDrive, Outlook—basically your entire Microsoft universe. Patch now or book a long holiday in Incident‑Response‑Land.