Inside The ToolShell Campaign

July 28, 2025, 9:13 a.m.

Description

FortiGuard Labs has identified a new exploit chain called 'ToolShell' targeting on-premises Microsoft SharePoint servers. This attack combines two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. The campaign uses sophisticated tools like GhostWebShell, a fileless ASP.NET web shell for remote access, and KeySiphon, which collects system information and application secrets. Active exploitation demonstrates SharePoint's status as a high-value target and the rapid weaponization of vulnerabilities. FortiGuard Labs has released protective measures and recommends swift patching, layered security, and thorough log review to mitigate risks.

External References

https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign
https://otx.alienvault.com/pulse/6883ede4e24f54beae83e56e
Tags
zero-day
fileless
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-07-25
keysiphon
exploit chain
ghostwebshell

Date

  • Created: July 25, 2025, 8:49 p.m.
  • Published: July 25, 2025, 8:49 p.m.
  • Modified: July 28, 2025, 9:13 a.m.

Attack Patterns

  • KeySiphon
  • GhostWebShell