Fortinet's FortiGuard Labs has issued a critical security alert regarding a newly discovered zero-day vulnerability chain in Microsoft SharePoint, which is currently being exploited in the wild. This article is intended to inform Moussa Solutions customers using on-premises SharePoint of the risks and recommended actions. This ongoing threat targets unpatched SharePoint environments across various sectors, including government, education, healthcare, and enterprise IT systems.
Summary of the SharePoint Zero-Day Attack
The vulnerability chain, named ToolShell by researchers, allows unauthenticated remote attackers to gain unauthorized access and execute arbitrary commands on vulnerable SharePoint servers.
The exploit combines two previously known vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two newly discovered zero-day flaws (CVE-2025-53770 and CVE-2025-53771), making it particularly dangerous.
Involved Threat Actors
According to Microsoft, the attacks are being carried out by Chinese state-sponsored groups known as Linen Typhoon and Violet Typhoon. These actors are actively exploiting vulnerable systems, and Microsoft has high confidence that further exploitation will continue.
Affected Vulnerabilities
- CVE-2025-49704
- CVE-2025-49706
- CVE-2025-53770 (Zero-day)
- CVE-2025-53771 (Zero-day)
Impact on Organizations
The vulnerability impacts a wide range of organizations that run on-premises Microsoft SharePoint. Successful exploitation can result in full system compromise, including data exfiltration and system-level control.
Microsoft’s Response
Microsoft has released security updates that fully mitigate CVE-2025-53770 and CVE-2025-53771 for all supported SharePoint versions. Organizations are urged to install these patches immediately to prevent exploitation.
Moussa Solutions Recommendations
While Fortinet and Microsoft have taken steps to mitigate the threat, Moussa Solutions strongly encourages all clients using Microsoft SharePoint to act quickly by:
- Installing the latest Microsoft SharePoint security updates
- Performing a thorough vulnerability assessment
- Reviewing SharePoint access logs for signs of compromise
- Hardening SharePoint configurations using best practices
- Implementing advanced endpoint protection and threat detection tools
Protect Your Systems with Moussa Solutions
At Moussa Solutions, we are committed to helping our clients stay informed and protected against emerging cyber threats. If your organization uses on-premises SharePoint, our team is available to:
- Support patch management and emergency updates
- Audit your infrastructure for vulnerabilities
- Strengthen your Microsoft SharePoint environment
- Provide ongoing security monitoring and incident response
Contact Us
If you need urgent assistance securing your SharePoint servers or understanding your exposure to this vulnerability, please contact Moussa Solutions today.