The Australian Cyber Security Centre (ACSC) has issued an alert for an exploited vulnerability in on-premises Microsoft's SharePoint Server products that allows attackers to remotely run code.
It involves the deserialisation -- unpacking and processing -- of untrusted data by on-premises SharePoint Servers, which allows for malicious code to be inserted into it.
According to ACSC, Microsoft is aware that an exploit for the vulnerability exists and has observed active attacks targeting on-premises SharePoint Server customers.
Microsoft has also acknowledged the vulnerability, which is tracked as CVE-2025-53770.
Customers can take steps to protect their environments, Microsoft said, adding that it was developing and testing an update to handle the vulnerability.
The company recommended that customers configure the integration between SharePoint Server and the Windows Anti-Malware Scan Interface (AMSI), which should prevent unauthenticated users from exploiting the vulnerability.
AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016 and the version 23H2 feature update for SharePoint Server Subscription Edition.
If AMSI cannot be enabled, Microsoft recommends that users disconnect their SharePoint Servers from the internet until a security update is available.
By looking for a file named "spinstall0.aspx" in the Microsoft 365 security centre, admins can locate possible exploitation activity on SharePoint Server:
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
Users should also deploy Defender for Endpoint to detect and block post-exploit activity, Microsoft said.
SharePoint Online in Microsoft 365 is not affected by the bug, the company said.
Update The United States Cybersecurity and Infrastructure Agency (CISA) told iTNews that it had been made aware of the exploitation [of the SharePoint Server vulnerability] by a trusted party, and had reached out to Microsoft immediately to take action.
CISA's acting executive assistant director for cybersecurity, Chris Butera, explained that the vulnerability, publicly reported as "ToolShell", provides unauthorised access to systems and enables malicious actors to fully access SharePoint content.
This includes file systems and internal configurations, and threat actors can also execute code over the network, he added.
"Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," Butera said.
"CISA encourages all organisations with on-premise Microsoft Sharepoint servers to take immediate recommended action," Butera added.
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
