Microsoft announced an urgent advisory over the weekend, warning all on-premises SharePoint users to upgrade products to supported versions, install the July 2025 Security Updates and rotate machine keys to protect against a zero-day vulnerability being used to target civil agencies, universities and businesses worldwide.
While the fix will "fully protect customers" for the SharePoint Subscription Edition and 2019 products, a security update for SharePoint 2016 is not available yet, Microsoft said on its blog. For those that cannot access antimalware scanning in this version, Microsoft recommends disconnecting from the internet until a patch becomes available.
WHY IT MATTERS
The vulnerability, known as CVE-2025-53770, allows attackers to remotely execute code and disguise their identity to appear as a trusted source.
"Microsoft is aware of active attacks targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed by the July Security Update," the company said in the customer guidance blog on July 19.
The critical patches involve configuring Antimalware Scan Interface integration in SharePoint and deploying Defender Antivirus on all SharePoint servers, "which will stop unauthenticated attackers from exploiting this vulnerability," Microsoft said.
Of note, AMSI integration was enabled by default in September 2023 for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
"If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available," Microsoft said.
After applying security updates or enabling AMSI, customers must also rotate machine keys in the server framework for building web apps, ASP.NET and restart all their SharePoint Internet Information Services servers.
THE LARGER TREND
Since Microsoft embedded HIPAA compliance into Office 365 about 14 years ago, healthcare organizations have been able to use the company's office documentation software and remain in compliance.
The company knows well how vulnerable hospitals and health systems are – especially independent critical access and rural emergency hospitals. Last year, Microsoft began offering free and low-cost cybersecurity tools and services to help small and rural hospitals through a joint effort of the Biden administration, American Hospital Association and National Rural Health Association.
"Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans' access to critical care," then Deputy National Security Advisory for Cyber and Emerging Technologies Anne Neuberger said in a statement at the time.
ON THE RECORD
"Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network," the company said in its advisory.
"This exploitation activity, publicly reported as 'ToolShell,' provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations and execute code over the network," the Cybersecurity and Infrastructure Security Agency said in its warning Sunday.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
