SharePoint "ToolShell" RCE (CVE-2025-49704/CVE-2025-49706/CVE-2025-53770/CVE-2025-53771)
Description
A critical deserialization vulnerability in on-premises Microsoft SharePoint Server allows unauthenticated remote attackers to execute arbitrary code without user interaction. This vulnerability chain, known as "ToolShell," affects multiple SharePoint components and is actively being exploited in the wild. Microsoft has confirmed active exploitation of CVE-2025-53770 and is developing a comprehensive patch. Organizations must immediately apply the temporary mitigation measures provided by Microsoft to prevent exploitation until official patches are available.
Remediation
1. Immediately apply the temporary mitigation provided by Microsoft at https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ to block exploitation attempts while awaiting the official patch.
2. Monitor SharePoint server logs for suspicious deserialization activity or unexpected authentication attempts.
3. If possible, restrict network access to SharePoint servers to trusted IP addresses only until patches are available.
4. Deploy the comprehensive security update from Microsoft as soon as it becomes available and has been tested in your environment.
5. After patching, conduct a thorough security review to identify any signs of prior compromise, including reviewing user accounts, permissions, and recent file modifications.
6. Consider implementing network segmentation to isolate SharePoint servers from other critical infrastructure.