Overview

• Microsoft’s July 20 update secures one SharePoint on-premises release but leaves two other server versions vulnerable pending additional patches.
• The FBI reports that dozens of federal, state and corporate networks have suffered data breaches in this campaign.
• Attackers exploited the ToolShell zero-day flaw to execute remote code on on-premises SharePoint servers while cloud-hosted Microsoft 365 services remained unaffected.
• CISA and its Canadian and Australian counterparts have published mitigation recommendations urging immediate patching, credential rotation and traffic monitoring.
• The ToolShell vulnerability (CVE-2025-53770/53771), first revealed at May’s Pwn2Own contest, underscores gaps in enterprise patch management.