CVE-2025-53770 & CVE-2025-53771 are variants of the existing vulnerabilities CVE-2025-49704 & CVE-2025-49706.
This exploitation activity, publicly reported as “ToolShell”, provides unauthenticated access to systems and enables malicious actors full access to SharePoint content, including file systems, internal configurations, could allow code execution and persistent access through exfiltration of IIS machine keys.
What’s happening
Systems affected
On-premises SharePoint Servers.
What this means
On-premises SharePoint Servers exposed to the internet could be vulnerable to exploitation by remote unauthenticated attack.
What to look for
How to tell if you’re at risk
On-premises Sharepoint servers exposed to the internet are at risk of being exploited.
How to tell if you’re affected
Refer to Microsoft Security Advisory External Link
What to do
Prevention
Refer to Microsoft Security Advisory External Link