Critical SharePoint Vulnerability Under Active Exploitation — What South West Organisations Must Do Now

The National Cyber Security Centre (NCSC) has issued a high-severity warning about active exploitation of zero-day vulnerabilities targeting on‑premises Microsoft SharePoint Server installations in the UK and globally. This is a critical sharePoint vulnerability under active exploitation and the flaw – referred to as "ToolShell" – enables unauthenticated attackers to execute remote code, steal cryptographic keys, and establish persistent control over compromised systems. Even organisations that thought they were safeguarded may be at risk.

Who’s Affected?

This vulnerability—tracked as CVE‑2025‑53770 and linked to CVE‑2025‑53771—is found in:

• SharePoint Server Subscription Edition

• SharePoint Server 2019

• SharePoint Server 2016

Cloud-based SharePoint users (e.g., Microsoft 365) are not affected. The NCSC confirms that a limited number of UK organisations have already been targeted. Globally, over 75 servers across government, education, enterprise, and energy sectors have been breached. Affected servers often contain sensitive corporate data and may serve as gateways to broader networks.

Why This Matters Locally

SharePoint is widely used across the South West—particularly by councils, education institutions, legal firms, SMEs and public sector bodies—to host documents, collaborate, and run business workflows. A successful breach exposes sensitive data and potentially grants attackers access to email, Teams, OneDrive, and domain-wide systems.

What You Must Do Immediately

If your organisation uses on-premises SharePoint Server, take the following actions without delay:

1. Apply the July 2025 security updates for your SharePoint version (Subscription Edition, 2019, or 2016) as published by Microsoft.

2. Verify all broader system patches from Microsoft’s July security updates are installed.

3. Enable the Antimalware Scan Interface (AMSI) in SharePoint and deploy Defender Antivirus (or equivalent). For best protection, configure AMSI in full mode.

4. Deploy Microsoft Defender for Endpoint (or similar solution) to detect post-exploitation behaviour.

5. Rotate SharePoint Server’s ASP.NET (machine) keys and restart IIS after patching to prevent reuse of compromised cryptographic materials.

6. Scan for evidence of past exploitation using provided Microsoft and CISA threat-hunting guidance.

7. Disconnect vulnerable servers from the internet if you cannot patch or enable AMSI immediately. Use VPN or authentication gateways until mitigations are in place.

Prepare Your Incident Response

If you identify signs of a compromise or suspect your server may already be breached:

• Activate your incident response playbook—including escalation, forensic support, external expert consultation, and communication protocols.

• Report issues to the NCSC and other regulators where necessary, and notify insurers and affected stakeholders.

• Engage professional security responders to conduct deep investigation, containment, and remediation.

Take This as a Wider Warning Signal

This SharePoint zero-day demonstrates the critical need for robust patch management, extended supply chain awareness, and proactive threat monitoring. As systems like SharePoint integrate with wider Microsoft services, any breach can quickly escalate across domains—including Outlook, Teams, OneDrive, and domain controllers.

How the SWCRC Can Support Businesses in the South West

At the South West Cyber Resilience Centre, we provide guidance and support to organisations navigating high-risk incidents like this. Our services include:

• Risk and vulnerability assessments

• Incident response planning and testing

• Advice on installing and configuring AMSI and Defender tools

• Expert assistance for incident investigations and notifications

If your organisation uses on-prem SharePoint—or relies on third-party providers who may—please act immediately. Reach out to the SWCRC team for help with implementing this urgent guidance and addressing any gaps in your cyber resilience posture.

Stay alert. Act swiftly. Protect your organisation.

The risk is active—but timely action can make all the difference.