Recent zero-day vulnerabilities in SharePoint have exposed serious “ToolShell” risks, prompting Microsoft to issue an update then an emergency patch when the original fix wasn’t enough. We break down the latest SharePoint security flaws and the steps administrators need to take which go beyond just applying patches.
The ‘zero day’ security hole affected SharePoint servers so this is a problem for administrators running their own SharePoint servers. SharePoint Server subscription, SharePoint server 2019 or 2016.
SharePoint online, hosted by Microsoft is not affected. Or perhaps the security hole was quickly patched, we may never know.
There’s more to do than just apply the latest security patches: this from Microsoft:
After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Follow the PowerShell guidance in Improved ASP.NET view state security and key management.
To update the machine keys for a web application using PowerShell:
- Generate the machine key in PowerShell using
Set-SPMachineKey -WebApplication <SPWebApplicationPipeBind>. - Deploy the machine key to the farm in PowerShell using
Update-SPMachineKey -WebApplication <SPWebApplicationPipeBind>.
After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.
Details for administrators at Customer guidance for SharePoint vulnerability CVE-2025-53770.
Get it right the second time
This wasn’t one of Microsoft better security efforts.
Back in May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, to make a “ToolShell” attack to allow remote code execution on the server.
The original zero-day SharePoint vulnerabilities (known as CVE-2025-53770 and CVE-2025-53771) were from at least July 18th, with 85 servers compromised worldwide.
In their July Patch roundup, Microsoft claimed to have patched both ToolShell flaws. But not for long because the company had to issue another warning because the hackers quickly found ways to bypass the latest patches to expose new exploits.
That’s why there’s now emergency patches (sorry, the approved Microsoft euphemism is “out of band“ or OOB update). We can only hope that this second attempt really will fix the SharePoint security hole.
