Security Alert: Microsoft SharePoint Zero-Day Vulnerability Under Attack
On Saturday, July 19, Microsoft disclosed a critical authentication validation vulnerability in its on-premise SharePoint software.
This exploitation activity, known as “ToolShell,” provides unauthenticated access to systems, enabling malicious actors to fully access SharePoint content, including file systems and internal configurations. This critical, zero-day vulnerability (CVE-2025-53770) enables remote code execution (RCE), which allows attackers to execute arbitrary code on systems exposed to the public internet.
Reports of widespread exploitation make it critical to prioritize patching immediately.
Systems exposed to the internet are highly likely to be compromised if they haven’t already been. Patches are now available for both SharePoint 2016 and SharePoint 2019. An update is available for SharePoint Subscription Edition and should be applied immediately.
There have been public reports that the initial triage instructions using the Windows Antimalware Scan Interface (AMSI) are able to be bypassed, making patching the only proper remediation path.
What happened?
Microsoft SharePoint is a widely used software that enables companies to store, share, and manage their internal files. The vulnerability affects versions of SharePoint that companies set up and manage on their own servers, also known as on-premises.
The Eye Security researchers who discovered the bug said they found “dozens” of actively exploited Microsoft SharePoint servers online at the time of its publication. Eye Security warned that SharePoint integrates with other apps, such as Outlook, Teams, and OneDrive, which may facilitate further network compromise and data theft.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also alerted that hackers were actively exploiting the bug. Several U.S. federal agencies, universities, and energy companies have already been breached in the attacks.
How do businesses address this?
In addition to patching and/or removing the system(s) from the internet, businesses should also conduct an analysis to determine if the system(s) have already been compromised. Indicators of compromise include the presence of unexpected ASPX web shells with the common names spinstall0.aspx, spinstall1.aspx, and info3.aspx .
Lastly, exploitation of this vulnerability involves exfiltration of ASP.NET Machine Keys, which are subsequently used to sign requests and allow remote code execution. If the machine has been compromised, it is critically important to rotate the machine keys to prevent ongoing remote code execution.
Who's at risk?
The majority of Coalition’s policyholders impacted by this vulnerability were small and midsize businesses by revenue (83%), with most having fewer than 50 employees (51%).
The most impacted industries were Hotels, Restaurants, and Leisure/Hospitality (25%), Professional Services (11%), and Non-Profits (11%).
How is Coalition responding?
With urgent vulnerabilities like this, Coalition acts quickly to notify those impacted as soon as possible. Coalition notified all impacted policyholders within 24 hours of the original disclosure, on Sunday, July 20, through Coalition Control®, our unified cyber risk management platform.
Coalition recommends that businesses follow the steps outlined in Microsoft’s remediation guidance as it is updated. We are closely following the situation as it evolves and will share updates with policyholders as needed.
For any questions about this vulnerability or assistance with mitigation, please contact Coalition’s Security Support Center (securitysupport@coalitioninc.com).
This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The statements contained herein are not a proposal of insurance but are for informational purposes only. Insurance coverage is subject to and governed by the terms and conditions of the policy as issued. Coalition makes no representations regarding coverages, exclusions or limitations in any products offered on behalf of any insurer. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.