- Posted July 21, 2025
The NCSC would like to draw your attention to CVE-2025-53770 and CVE-2025-53771 affecting on-premises Microsoft SharePoint servers.
The NCSC is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorised access to on-premise SharePoint servers.
SharePoint Online in Microsoft 365 is not impacted.
CVE-2025-53770(external link) & CVE-2025-53771(external link) are variants of the existing vulnerabilities CVE-2025-49704(external link) & CVE-2025-49706(external link). This exploitation activity, publicly reported as “ToolShell”, provides unauthenticated access to systems and enables malicious actors full access to SharePoint content, including file systems, internal configurations, could allow code execution and persistent access through exfiltration of IIS machine keys.
The NCSC encourages organisations in New Zealand using on-premise SharePoint servers to review Microsoft’s Advisory(external link) and apply the remediations as soon as possible. If remediation or mitigation action cannot be undertaken immediately, then we recommend isolating the SharePoint instance from the internet.
Currently (21 July 2025) patches are only available for SharePoint Subscription Edition and SharePoint Server 2019.
Customers using supported versions of SharePoint Server 2016 should monitor the Microsoft Advisory to identify when patches become available.
For more NCSC NZ updates, follow(external link) us on LinkedIn.