Defending Against ToolShell: SharePoint's Latest Critical Vulnerability

July 24, 2025, 9:34 a.m.

Description

A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments. This vulnerability allows unauthenticated remote code execution, posing a significant threat to organizations worldwide. SentinelOne has detected active exploitation and provides defensive measures. ToolShell's severity is characterized by its zero-day status, high CVSS score of 9.8, no authentication requirement, and remote code execution capability. SentinelOne's defense strategy includes early identification, out-of-the-box detection logic, IOC integration, hunting queries, and proactive detection through Singularity Vulnerability Management. Recommended mitigation steps include isolating SharePoint instances, enabling AMSI, applying patches, integrating IOCs, monitoring for suspicious behavior, and conducting retroactive threat hunting.

External References

https://www.sentinelone.com/blog/defending-against-toolshell-sharepoints-latest-critical-vulnerability
https://otx.alienvault.com/pulse/688170c6105566470aa2189d
Tags
vulnerability
zero-day
cybersecurity
remote code execution
threat detection
sharepoint
patch
CVE-2025-53770
toolshell
2025-07-23

Date

  • Created: July 23, 2025, 11:31 p.m.
  • Published: July 23, 2025, 11:31 p.m.
  • Modified: July 24, 2025, 9:34 a.m.

Indicators

  • 104.238.159.149
  • 107.191.58.76
Download all indicators here!

Attack Patterns

  • ToolShell