On July 19, 2025, Microsoft disclosed a critical vulnerability in on-premises SharePoint servers, and it’s already being actively exploited. A global campaign by the Linen Typhoon, Violet Typhoon, and Storm-2603 groups is targeting unpatched on-prem environments, using exposed endpoints to gain control, extract sensitive data, and move laterally across networks. For organizations still relying on on-prem SharePoint, this isn’t a theoretical risk. This is happening now, and action is urgent.
AVASOFT supports organizations in identifying exposure, mitigating vulnerabilities, and preparing for secure upgrades or cloud migration to reduce risk and modernize collaboration environments.
This article explains how exploits work, their potential impact, and the steps required to improve security across your SharePoint platform.
What is SharePoint Server vulnerability, and who is affected?
The vulnerability refers to a critical security flaw that allows attackers to upload malicious files and execute arbitrary code on affected servers. It poses a heightened risk for organizations operating in-house SharePoint environments without proper security controls.
This primarily affects:
- SharePoint Server 2016
- SharePoint Server 2019
- Older versions like SharePoint 2013, which, though no longer supported, may still be vulnerable due to similar architectural weaknesses.
The root cause lies in insecure deserialization, file upload weaknesses, and missing advanced security controls often found in cloud platforms. Unlike SharePoint Online, on-premises environments depend on manual patching, leaving them more exposed.
Inside the ToolShell exploit campaign
A targeted campaign exploiting this vulnerability, known as ToolShell, has already impacted over 400+ organizations globally, including critical infrastructure and government entities.
The attack, linked to threat actors such as Linen Typhoon, Violet Typhoon, and Storm-2603, begins with the exploitation of exposed endpoints. Attackers deploy web shells, escalate privileges through SharePoint App Pool identities, and move laterally to compromise broader systems.
These exploits, tracked as CVE-2025-53770 and CVE-2025-53771, are not based on zero-day vulnerabilities; they rely on the failure to apply cumulative updates or the continued use of unsupported versions. Systems exposed to the internet without protection or patching are prime targets for attack.
Microsoft’s telemetry confirms a surge in attacks on unpatched environments, with many leading to long-term compromise.
So, how does SharePoint vulnerability work?
Attackers begin by uploading malicious scripts or web shell files through exposed or misconfigured endpoints that are insufficiently secured. Once deployed to the SharePoint Server, these files can be executed remotely, often bypassing authentication and access controls.
In many instances, the attack does not require elevated user privileges; misconfigured systems alone can grant the necessary access for execution. Older or unmanaged setups are especially susceptible, as they frequently lack the layered defenses and monitoring capabilities needed to detect or interrupt this type of activity.
These tactics make it easier for threat actors to compromise tangible risks across systems, data, and operations.
Security risks from SharePoint vulnerability
Exploiting this vulnerability can trigger widespread security breaches beyond the targeted SharePoint Server. Once inside, attackers can maintain persistent access, steal sensitive data, and navigate across internal systems, posing serious operational and data security risks.
Key risks include:
- Run Remote Commands: Perform harmful actions without requiring internal or physical access to the firm’s network.
- Retain Ongoing Access: Install scripts that enable repeated entry, often bypassing standard security tools and surviving system reboots.
- Expose Sensitive Data: Access internal documents, login credentials, and confidential content stored within SharePoint libraries and lists.
- Move Across Systems: Pivot from the compromised server to other connected systems, expanding the breach.
These risks highlight how a single point of entry can compromise multiple layers of your IT environment. To prevent further exposure, it’s essential to examine the underlying security gaps within SharePoint systems.
Microsoft recommends migration to SharePoint Online
In the active exploitation and escalating security threats, Microsoft has formally urged organizations to accelerate migration to SharePoint Online. SharePoint Online delivers:
- Built-in Zero Trust controls
- Real-time patching and threat monitoring
- Reduced attack surface and admin overhead
This guidance from Microsoft underlines a broader shift toward secure, cloud-first collaboration environments.
At AVASOFT, we help organizations act on this advice. Whether you need support for vulnerability mitigation, version upgrades, or full migration to SharePoint Online, our experts are here to assist securely with our best practices and strategies.
Securing on-premises SharePoint with targeted best practices
Mitigating the risk posed by this vulnerability requires a combination of immediate technical fixes and long-term strategic planning. At AVASOFT, we follow and recommend the following best practices to protect your SharePoint infrastructure from evolving threats:
- Apply Security Updates Immediately: Patch all supported SharePoint versions with Microsoft’s latest cumulative updates.
- Enable Threat Detection: Activate AMSI integration and run Microsoft Defender Antivirus in active mode across all servers.
- External Access: Where detection tools can’t be enabled, disable public SharePoint access to prevent endpoint attacks.
- Monitor Server Logs: Continuously review logs for red flags like unknown file uploads, permission changes, or command execution attempts.
- Plan a Secure Migration: Assess readiness for version upgrades or cloud migration, ensuring a secure and low-risk transition.
By implementing these best practices, AVASOFT strengthens your SharePoint security posture while preparing your platform for sustained protection and future scalability.
Final thoughts
Self-hosted SharePoint systems continue to play a critical role in business operations, but only when supported by layered defenses and consistent oversight. Delays in applying patches or upgrading platforms significantly increase the likelihood of compromise, often affecting more than just the SharePoint configuration. Whether your priority is to address current vulnerabilities or to prepare for a long-term modernization strategy, taking the right steps now is essential to maintaining a secure and resilient infrastructure.
AVASOFT helps organizations evaluate their SharePoint environments, implement targeted security controls, and plan secure transitions to supported or cloud-based platforms. If you’re looking to protect your collaboration systems and reduce exposure, our experts are ready to guide you.
