At least 85 Microsoft SharePoint servers worldwide have already been breached in attacks involving a pair of critical SharePoint zero-day flaws, tracked as CVE-2025-53770 and CVE-2025-53771, which have been underway since Friday, reports BleepingComputer.
Both vulnerabilities circumvent previously issued fixes for ToolShell bugs, tracked as CVE-2025-49706 and CVE-2025-49704, according to Microsoft, which has already released updates for SharePoint Server 2019 and SharePoint Subscription Edition. "...[T]he update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706," said Microsoft, which has yet to fix the issues in SharePoint 2016. Attacks involving the zero-days were initially observed by Eye Security. Such intrusions have already prompted the Cybersecurity and Infrastructure Security Agency to include CVE-2025-53770 in its Known Exploited Vulnerabilities list, with federal agencies urged to apply remediations within a day of the advisory. "CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action," said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera.
Both vulnerabilities circumvent previously issued fixes for ToolShell bugs, tracked as CVE-2025-49706 and CVE-2025-49704, according to Microsoft, which has already released updates for SharePoint Server 2019 and SharePoint Subscription Edition. "...[T]he update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706," said Microsoft, which has yet to fix the issues in SharePoint 2016. Attacks involving the zero-days were initially observed by Eye Security. Such intrusions have already prompted the Cybersecurity and Infrastructure Security Agency to include CVE-2025-53770 in its Known Exploited Vulnerabilities list, with federal agencies urged to apply remediations within a day of the advisory. "CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action," said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera.




