City councils, county offices, and Chambers of Commerce face a critical SharePoint zero‑day threat that targets on‑premise servers. This vulnerability actively endangers local document-sharing platforms across Central and South Texas. As trusted tech partners, SoftTouch Systems equips communities, SMBAs, city governments, county agencies, with clear, expert-led defenses. Read on to understand real risks, immediate mitigation steps, and how SoftTouch keeps your vital services secure and operational.
What Is the SharePoint Zero‑Day Threat?
Recently, attackers exploited CVE‑2025‑53770, a critical SharePoint zero‑day vulnerability, to launch remote code execution (RCE) attacks known as the “ToolShell” exploit. This flaw bypasses authentication, allowing hackers to install web shells, exfiltrate sensitive data, and steal cryptographic machine keys, all without user interaction.
Thank you for reading this post, don't forget to subscribe!
Major concerns:
- Affected infrastructure: On-premise SharePoint 2016, 2019, and Subscription Edition, widely used by local governments and chambers.
- Attack scale: Over 75 servers globally were breached before a patch was released.
- Key disclosure risk: Machine keys stolen enable persistent access, even after patching.
- No impact on SharePoint Online, but on-prem systems remain dangerously vulnerable.
Why This Matters for Local Entities
Local government and community offices use SharePoint to publish meeting minutes, maintain grant documents, share policy files, and communicate internally. Outages, data loss, or unauthorized access can disrupt public trust, violate transparency standards, and place sensitive resident data at risk. In this threat landscape, a SharePoint zero‑day exploit becomes a direct threat to civic operations and community integrity.
Immediate Steps to Harden Your Systems
SoftTouch Systems recommends the following proactive measures:
1. Patch and Update ASAP
- Apply emergency patches: KB5002754 (2019); KB5002768 (Subscription Edition).
- Watch closely for the upcoming patch for SharePoint 2016. (Bleeping Computers)
2. Enable AMSI + Defender AV
- Configure Antimalware Scan Interface (AMSI) integration.
- Deploy Microsoft Defender Antivirus and Defender for Endpoint on all servers. ( MS Defender)
- These collectively help intercept malicious ASPX payloads.
3. Rotate Machine Keys
Even patched systems can be vulnerable if key theft occurred. Rotate ASP.NET MachineKeys to invalidate stolen credentials.
4. Threat Hunt for Indicators
Scan logs for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and presence of spinstall0.aspx (Guidance). Watch for IPs like 107.191.58.76, 104.238.159.149, and 96.9.125.147 flagged by CISA.
5. Isolate or Disconnect
If unable to patch or enable mitigations, disconnect your SharePoint server from the internet immediately.
6. Monitor & Report
Use continuous logging, SIEM, and SOAR systems. Report incidents to CISA or your local Cyber Center. CISA added this CVE to its Known Exploited Vulnerabilities list on July 20, 2025.
How SofTouch Systems Supports Local Agencies
SoftTouch guides clients through every protective layer:
- Tech audit to detect vulnerable SharePoint instances.
- Patch deployment and configuration of AMSI/Defender.
- Key rotation service to secure after a breach.
- Threat hunting program with log analysis and IoC scanning.
- Incident response collaboration for containment and recovery.
- Ongoing monitoring via SOC-level oversight.
Our goal? To reduce breach risk, ensure compliance, and protect citizen data for Chambers of Commerce, SMBA offices, city and county governments.
Frequently Asked Questions
| Question | Answer |
|---|---|
| Does this affect SharePoint Online? | No, only on-prem servers. |
| We are already patched, are we safe? | Partially. You must rotate keys and monitor logs too. |
| What’s the key rotation timeline? | We recommend doing it immediately post-patch. |
| Can we detect an intrusion retrospectively? | Yes—with log audits and scanning for |
