The U.S. Cybersecurity Agency (CISA) has issued an emergency directive, one of its highest-level alerts, ordering all federal agencies to immediately patch a critical vulnerability in Microsoft SharePoint. The reason for this drastic measure is the active and massive exploitation of a security flaw, nicknamed “ToolShell,” which is being used by ransomware groups and state actors to attack servers around the world. This crisis does not only affect governments; it is an urgent wake-up call for thousands of companies that use SharePoint on their own servers and that could be exposed without knowing it.
What is “ToolShell”? The anatomy of a silent attack
“ToolShell” refers to the exploitation of a critical vulnerability (registered as CVE-2025-53770) that affects the versions of SharePoint that companies install and manage on their own servers (on-premise model). Its danger is extreme for several reasons:
-
It Allows Access Without Authentication: This is its most serious feature. An attacker does not need a username or password to exploit the flaw. Simply by sending a manipulated web request, they can execute code remotely on the server.
-
It Grants Total Control: Once inside, attackers can steal all the information stored in SharePoint, which often includes the most sensitive documents of an organization (contracts, financial reports, employee data).
-
It Creates Persistent Access: Attackers don’t just enter and steal; they install webshells or backdoors. This allows them to extract the server’s cryptographic keys. With these keys, they can re-enter whenever they want, even if the company changes passwords or applies the security patch later.
The paradox of the own server: false control, real risk
Interestingly, this vulnerability does not affect companies that use SharePoint Online through Microsoft 365, since Microsoft manages and patches that infrastructure directly. The crisis targets organizations that maintain the software on-premise.
This highlights a dangerous paradox in the business world. Many companies keep their data on their own servers under a false sense of greater control and security. However, they often lack the resources or discipline necessary to maintain a constant monitoring and patching cycle. The reality is that complacency is the greatest vulnerability, and a system without proper maintenance is an easy target, no matter where it is hosted.
Emergency guide: immediate steps to protect your company
In light of CISA’s directive and the evidence of massive attacks, companies using SharePoint Server 2016, 2019, or Subscription Edition must act immediately.
-
Identify and Isolate: The first step is to determine if you have vulnerable SharePoint servers exposed to the internet. If so, the most drastic but safest recommendation is to isolate them from the network immediately to cut off any possible external access.
-
Patch Immediately: Microsoft has already published the security patches for the vulnerability CVE-2025-53770. It is absolutely critical to apply these updates on all affected servers without delay.
-
Assume the Breach: Hunt and Eradicate: Due to the risk of persistent access, patching is not enough. Organizations must operate under the assumption that they have already been compromised. This implies actively looking for indicators of an attack (such as suspicious files on the servers) and, fundamentally, rotating all credentials, application keys, and certificates associated with SharePoint to invalidate any access attackers may have stolen.
This crisis is a wake-up call for the entire sector. The security of digital infrastructure no longer depends solely on having physical control, but on maintaining a constant cybersecurity and monitoring process.
Sources:
- Devel Group: Explotación de la Vulnerabilidad CVE-2025-53770 en SharePoint
- Vectra AI: CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint
- WeLiveSecurity (ESET): Microsoft lanza parche de emergencia para dos vulnerabilidades críticas en SharePoint Server
- MuyComputerPRO: Microsoft SharePoint, alerta de seguridad crítica
- CCN-CERT (Centro Criptológico Nacional): Explotación activa de una vulnerabilidad crítica en Microsoft SharePoint Server
