The active exploitation of two Microsoft SharePoint zero-day vulnerabilities should serve as a clear signal to every healthcare CISO: we are out of time.
CVE-2025-53770 and CVE-2025-53771 are not theoretical threats; they are actual security vulnerabilities. They are compromising systems right now, bypassing security controls, and establishing remote code execution access in SharePoint environments worldwide. Attackers are chaining these vulnerabilities together using a toolset known as ToolShell, compromising more than 75 servers so far.
As healthcare security leaders, we cannot afford to wait. We face unique challenges due to vulnerabilities like these, primarily because of the sensitive nature of our data and the critical services we support. These are not just IT risks. They are operational risks. They are patient safety risks.
SharePoint Zero-day Vulnerabilities: What We Know
CVE-2025-53770 carries a CVSS score of 9.8 and enables unauthenticated remote code execution. CVE-2025-53771 allows attackers to manipulate files through directory traversal. Together, they give adversaries a powerful foothold.
Although researchers began detecting signs of exploitation as early as July 18, the broader healthcare industry and many affected organizations only became fully aware of the situation after Microsoft released its emergency out-of-band patches on July 21. That delay meant attackers had a multi-day head start.
Microsoft’s patches cover:
- SharePoint Subscription Edition (KB5002768)
- SharePoint Server 2019 (KB5002754)
Unfortunately, SharePoint Server 2016, still widely used across healthcare, remains unpatched as of today. That leaves a dangerous exposure window for organizations that rely on this version and have not implemented interim controls.
With confirmed breaches across dozens of systems, it is no longer a hypothetical situation. This is a live incident.
What We Must Do Now
Here is what every healthcare security team should do immediately in the face of the active exploitation of the two Microsoft SharePoint zero-day vulnerabilities:
- Apply available emergency patches immediately.
- Rotate SharePoint machine keys and restart IIS post-patching to eliminate persistent threats.
- Deploy Windows Antimalware Scan Interface (AMSI) integration and Endpoint Detection and Response (EDR) solutions, such as Microsoft Defender.
- Disconnect unpatched SharePoint servers from the internet until secure mitigations can be executed.
- Conduct extensive system investigations to identify and remediate any potential compromises.
SharePoint Online (Microsoft 365) is not impacted, but on-premises installations are at serious risk.
The sophistication of this attack is significant. ToolShell is chaining these vulnerabilities to bypass protections and achieve full remote code execution. This is not routine threat activity. This is an escalation.
Why This Is Personal
I’ve spent my career in healthcare cybersecurity because I believe in protecting the systems that protect people. When incidents like this unfold, I do not just see technical vulnerabilities. I see potential disruptions to patient care, delays in treatment, and violations of the trust our patients place in us.
Cybersecurity preparedness in healthcare directly translates to patient safety. And that makes our job urgent every single day.
We all know the challenges. Resources are tight. Legacy systems are embedded in care workflows. Patching is never as simple as it sounds. But this is one of those moments when hesitation carries too much risk.
Zero-Day Vulnerabilities: What’s Next
Healthcare and other critical infrastructure sectors must be operating at a heightened state of awareness, with the active exploitation of these dual SharePoint zero-day vulnerabilities. The attackers are not waiting. Neither should we.
At Fortified Health Security, our team is tracking this threat closely and supporting healthcare leaders as they respond.
If you need help evaluating your SharePoint exposure, or investigating a potential compromise, please don’t hesitate to reach out. We’re ready to help.
Because in healthcare, every second matters. And when it comes to cybersecurity, waiting is not a strategy.
