By Naveen Athrappully
Hackers are attacking on-premises Microsoft SharePoint server vulnerabilities, the U.S. Cyber Security and Infrastructure Defense Agency (CISA) announced in a July 20 report.
SharePoint Servers are used by organizations to create a private intranet service that builds websites, manages document sharing, and supports other collaborative efforts within the company.
“This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” CISA said, adding that the scope and impact of the new remote code execution (RCE) attack is being assessed.
Microsoft acknowledged the issue a day earlier. In a July 19 guidance report, the company said the exploitation attempt applied to SharePoint servers only. Cloud-based SharePoint Online in Microsoft 365 is a different system and is not impacted.
The whole SharePoint suite is used by more than 200,000 organizations and 190 million people worldwide, according to the company.
The July security update only partially addresses existing vulnerabilities, Microsoft said. New security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 have been released.
Customers are advised to apply system updates immediately to ensure protection. Security updates for SharePoint 2016 users are not yet released.
Microsoft posted a list of ways that customers can mitigate the attacks. They include installing the latest security updates, using supported versions of on-premises SharePoint Server, making sure the Antimalware Scan Interface is turned on and configured correctly in combination with an antivirus solution, deploying services like Microsoft Defender for Endpoint protection, and rotating SharePoint Server ASP.NET machine keys.
More technical details for advanced hunting techniques and other mitigation efforts are on the Microsoft website.
CISA Recommendations
To reduce risks associated with the RCE exploitation attempt, CISA has several recommendations for organizations. It reiterated Microsoft’s guidance on activating Antimalware Scan Interface (AMSI) and MS Defender on all servers.
If AMSI cannot be deployed immediately, the agency suggested companies disconnect all affected products from the internet and reconnect only after the threat is mitigated.
CISA asked companies to follow the BOD 22-01 guidance protocol for reducing the risk.
For detection and advanced threat hunting measures, organizations are asked to follow Microsoft’s advisory for Server Spoofing Vulnerability or CVE-2025-49706, which was released on July 8 and added to CISA’s exploitation catalog on July 20.
Companies should update intrusion prevention systems and web-application firewall rules to block exploit patterns and anomalous behavior, and implement comprehensive logging to identify exploitation activity.
Lastly, CISA advised to audit and minimize layout and administrator privileges.
If a malicious actor has gained access or the company detects anomalous activity in its servers, such incidents should be reported to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
Recently, with the increased proliferation of cloud platforms and related technologies, there has been a corresponding uptick in sophisticated threat activity targeting identity and authentication systems built on cloud infrastructure.
“As cloud infrastructure has become more ubiquitous—underpinning key government and critical infrastructure data—sophisticated nation-state affiliated actors have exposed limitations in token authentication, key management, logging mechanisms, third-party dependencies, and governance practices,” CISA said in a July 15 statement.
To counter these threats, CISA has called for an increase in private-public partnerships to safeguard cloud infrastructure.
Related posts:
Apple Apologizes After Security Researcher Reveals iOS Bugs
Federal Agency Warns Millions of Microsoft Users to Update Settings
Global IT Outage Grounds Flights, Disrupts Banking, Takes Media Off Air
Victim Profiles in Microsoft SharePoint Attacks Point to Targeted Intelligence Campaign, Researchers Say
