Threat actors have been observed exploiting a critical zero-day vulnerability, CVE-2025-53770 (aka ToolShell, a variant of CVE-2025-49706), which impacts Microsoft SharePoint servers. HHS recommends that all Healthcare and Public Health (HPH) sector partners review these vulnerabilities, search internal systems for indicators of compromise, and apply the appropriate mitigations.
While Microsoft patched both ToolShell flaws as part of July’s Patch Tuesday, threat actors were able to bypass the fixes with new exploits. Unlike typical SharePoint exploits which require compromised credentials or insider access, ToolShell significantly lowers the barrier to entry for cybercriminals targeting enterprise networks. This authentication bypass vulnerability requires no credentials and allows attackers to circumvent security controls and access protected APIs by simply manipulating HTTP headers.
CVE-2025-53770 is remote code execution vulnerability affecting on-premise SharePoint servers that an actor can exploit to gain unauthenticated access, escalate privileges, and exploit the vulnerability for complete system compromise. Microsoft has released updates for SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 in Subscription Edition and 2019 versions. These vulnerabilities apply to on-premises SharePoint Servers only; SharePoint Online in Microsoft 365 is not impacted. Microsoft is actively working on updates for SharePoint 2016. Compounding the threat is an additional vulnerability, CVE-2025-49704, which enables authenticated attackers with Site Owner privileges to execute arbitrary code remotely. This critical remote code execution flaw results from improper input validation in SharePoint’s code generation mechanisms, allowing attackers to inject and execute malicious code on targeted servers.
We recommend the HPH community follow the Microsoft published customer guidance to address CVE-2025-53770 and a Point of Contact which has been established. CISA has also added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Furthermore, Palo Alto Networks Unit42 and Eye Security have provided Indicators of Compromise.