It’s been a weird month for IT admins. One minute you’re knee-deep in license renewals and overdue backups, the next your SharePoint server’s wide open like a hotel door with a broken lock – and the intruders aren’t exactly room service.
Yes, that SharePoint. The dependable, clunky workhorse buried somewhere in your back office that everyone forgets exists – until it breaks. Well, it broke. Spectacularly. And patching it isn’t as simple as clicking “Update.”
Let’s walk through what happened, why it matters, and what you can do if you’re still running the 2016 edition like it’s the golden age of on-prem.
So… What Just Happened?
A new zero-day vulnerability (fancy way of saying: “No one saw this coming, and there’s no fix yet”) was discovered in Microsoft’s on-premises SharePoint Server. The official name is CVE-2025-53770, but that’s just alphabet soup for: “someone can break in, take what they want, and leave the door open for others.”
The attack doesn’t need a password. It doesn’t need trickery or phishing or a USB stick left in a parking lot. It’s a direct hit – remote code execution, full access, and the ability to steal your machine’s cryptographic keys. Once that happens, even patching the vulnerability won’t lock the attacker out. They’ve copied the keys. They still have the keys.
And just to spice things up? It’s being actively exploited. Right now.
A SharePoint Flaw Hiding in Plain Sight
If you’re thinking, “Who still runs SharePoint on-premises in 2025?”, the answer is: a lot of people. Governments. Banks. Universities. Healthcare providers. Because moving off SharePoint is like trying to replace a bridge while cars are still driving on it.
And that’s exactly what attackers are banking on. They know organizations are slow to migrate, slower to patch, and terrified of breaking something in the process. They’re exploiting a specific endpoint:
/_layouts/15/ToolPane.aspx?DisplayMode=Edit which, under the hood, lets them run commands like they own the place.
Once they’re in, they deploy a tool (nicknamed ToolShell) that installs backdoors, steals those cryptographic machine keys, and hides in plain sight. Some of the traffic even looks like normal SharePoint use, so traditional defenses might just let it slide.
Microsoft’s Response: Partial Help, Partial Headache
To Microsoft’s credit, they’ve issued emergency patches – for SharePoint 2019 and the Subscription Edition. But the 2016 version? Still waiting. And yes, plenty of organizations are still stuck on 2016 because upgrades require time, money, and a lot of meetings that start with “Is this absolutely necessary?”
Microsoft also recommends rotating your ASP.NET machine keys. Sounds simple enough… unless you’ve never done it before and suddenly have to figure out what those keys even are, where they live, and whether changing them will crash your internal apps.
And let’s be real – many IT departments are underfunded and understaffed. Microsoft saying, “Just rotate your machine keys and restart IIS” is like telling someone with a leaky roof to just buy a new house.
This Isn’t Just About SharePoint
Here’s the thing: this whole incident is less about one specific bug and more about what it reveals.
It shows how much of our infrastructure still relies on outdated, overgrown software with more patches than planning. It highlights how enterprise IT still leans on “if it ain’t broke, don’t touch it,” until it is broke – and then it’s all-hands-on-fire.
And it also shows how attackers are getting smarter, faster, and more focused. They’re not going after personal laptops. They’re targeting the forgotten corners of enterprise networks. The dusty servers running decade-old code, protected by outdated firewalls, still exposed to the public web because “someone needed remote access once.”
What Should You Do If You’re Affected?
You already know the standard advice: patch your systems. But in this case, that’s just the beginning.
Here’s what else you should seriously consider:
- Assume compromise. If your SharePoint was publicly exposed and hasn’t been patched, don’t hope for the best. Act like someone’s already in.
- Change your machine keys. These are like the master keys to your web application’s front door. If they’ve been stolen, patching won’t keep the attacker out.
- Audit everything. Look for unusual activity in your SharePoint logs. Search for references to ToolPane.aspx, weird IP addresses, sudden privilege escalations.
- Isolate exposed servers. Temporarily disconnect them from the internet until you’re confident they’re clean.
- Strengthen monitoring. If you’re not logging and alerting aggressively now, this is the time to start. Install antivirus that can scan scripts and catch PowerShell behavior in real time.
If you’re one of the many still waiting for that SharePoint 2016 patch, consider tightening firewall rules, limiting access, and frankly, preparing for an upgrade sooner rather than later.
A Moment of Honesty
This isn’t a finger-pointing moment. If you’re an admin juggling 100 priorities and just now finding out your SharePoint instance is vulnerable, you’re not alone. Most people don’t wake up in the morning thinking, “Today I’ll rotate machine keys and review endpoint logs.”
But the industry’s got a deeper problem. We’re still prioritizing uptime over security, backward compatibility over clean slates, and short-term convenience over long-term resilience. SharePoint’s latest mess is just the symptom. The disease is systemic tech debt, neglected updates, and blind trust in tools we’ve outgrown.
Quick FAQ: What People Keep Asking
- Is SharePoint Online affected?
- Nope. This only impacts on-prem versions like 2016, 2019, and Subscription Edition.
- What’s a machine key and why does it matter?
- Machine keys are cryptographic values used to sign and validate sessions in web apps. If attackers steal them, they can impersonate users or inject malicious code, even after you patch the main bug.
- Can I just patch and be done?
- Not safely. If the attacker already stole your keys, patching won’t kick them out. You need to rotate those keys and audit thoroughly.
- Is this being actively exploited?
- Yes, on a wide scale. Reports mention governments, hospitals, universities – all hit.
It’s Not Just SharePoint
If you’re reading this and thinking, “This sounds way too familiar,” that’s the point. SharePoint isn’t the first tool to fall to its own legacy, and it won’t be the last. But it’s a stark reminder that the stuff we forget to check is often the stuff that gets hit the hardest. Patch fast. Audit often. And maybe – just maybe – it’s time to finally retire that 2016 server humming in the corner.