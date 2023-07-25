Authorities and researchers are sounding the alarm over the active mass exploitation of a high-severity vulnerability in Microsoft SharePoint Server that's allowing attackers to make off with sensitive company data, including authentication tokens used to access systems inside networks. Researchers said anyone running an on-premises instance of SharePoint should assume their networks are breached.

The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet.

Microsoft's cloud-hosted SharePoint Online and Microsoft 365 are not affected.

On Saturday, researchers from security firm Eye Security reported finding "dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC." The systems, scattered across the globe, had been hacked using the exploited vulnerability and then infected with a webshell-based backdoor called ToolShell.

The attackers are using the capability to steal SharePoint ASP.NET machine keys, which allow the attackers to stage hacks of additional infrastructure at a later time.

According to The Washington Post, at least two federal agencies have found that servers inside their networks were breached in the ongoing attacks.

In a post on Sunday, the US Cybersecurity and Infrastructure Security Agency confirmed the attacks and their use of ToolShell. The post went on to provide its own list of security measures.