Microsoft has released urgent patches for two critical zero-day vulnerabilities in on-premises SharePoint Servers, identified as CVE-2025-53770  and CVE-2025-53771, which are actively exploited as part of the ToolShell attack chain. These vulnerabilities allow unauthenticated remote code execution, authentication bypass, and theft of cryptographic keys, resulting in persistent unauthorized access.

Affected Systems:

• SharePoint Server Subscription Edition.

• SharePoint Server 2019

• SharePoint Server 2016.

Security Risks

The identified vulnerabilities allow attackers to bypass security controls, remotely execute code, and steal cryptographic materials, compromising both the SharePoint environment and integrated Microsoft services.

For full guidance on addressing these vulnerabilities, please refer to Microsoft Customer Guidance for SharePoint Vulnerability CVE-2025-53770, which provides detailed mitigation steps and update instructions.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to take the following actions to mitigate the active exploitation of these vulnerabilities:

• Update immediately to the latest supported version of Microsoft SharePoint Server to address the vulnerabilities and mitigate associated risks.

• Follow the guidance provided by Microsoft and implement the recommended mitigations to minimize the risk of exploitation.

• Ensure you have a recent backup that can be restored easily before applying updates or workarounds.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Customer guidance for SharePoint vulnerability CVE-2025-53770

• Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)

• Microsoft Patches ‘ToolShell’ Zero-Days Exploited to Hack SharePoint Servers

• Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks