ToolShell zero-days strike SharePoint servers globally

Cybercriminals are actively exploiting two zero-day vulnerabilities in on-premises Microsoft SharePoint servers, tracked as CVE‑2025‑53770 and CVE‑2025‑53771 and collectively dubbed ToolShell. ESET reports that the campaign is global, with the United States accounting for 13.3% of observed attacks—the highest share.

Why it matters

• On-prem SharePoint remains a high-value target for initial access and data theft.
• ToolShell exploitation highlights the urgency of rapid patching and tight exposure control.

What security teams should do now

• Monitor vendor advisories and apply SharePoint updates and mitigations as they are released.
• Reduce internet exposure; place SharePoint behind VPN or a hardened reverse proxy with strict access controls.
• Enforce MFA and least privilege for SharePoint admin and service accounts.
• Increase logging and monitoring (authentication events, anomalous web requests, suspicious script activity) and investigate alerts promptly.
• Use EDR/XDR to spot post-exploitation behavior, and validate backups and incident response playbooks.

For more details, watch the brief update from ESET Chief Security Evangelist Tony Anscombe and read the full blog post for the latest findings.

Source: WeLiveSecurity