Exploits are currently attacking vulnerable SharePoint Servers.

On July 20, Microsoft warned that CVE-2025-53770 (nicknamed “ToolShell”) is being actively exploited on on-premises SharePoint Server instances worldwide and currently has no available patch. Attackers have used the flaw to install webshells, steal MachineKey cryptographic secrets, and execute unauthenticated remote code on compromised servers, with major exploit waves observed July 18–19. Until a fix ships, Microsoft urges customers to enable AMSI integration, deploy Defender Antivirus and Defender for Endpoint, tighten IPS/WAF rules, audit admin privileges, and monitor for POSTs to /_layouts/15/ToolPane.aspx and creation of spinstall0.aspx webshells.

Read more:

https://www.securityweek.com/sharepoint-under-attack-microsoft-warns-of-zero-day-exploited-in-the-wild-no-patch-available/