SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

July 22, 2025, 9:29 a.m.

Description

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been observed, each with unique tradecraft and objectives. Targets include organizations in technology consulting, manufacturing, critical infrastructure, and professional services. The exploitation enables access to SharePoint's ToolPane functionality without authentication, leading to code execution via uploaded or in-memory web components. Different webshells and techniques were employed, including a custom password-protected ASPX webshell and a reconnaissance utility targeting cryptographic material. Immediate patching and following Microsoft's recommendations are strongly advised.

External References

https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/
https://otx.alienvault.com/pulse/687f4cff17ec0329833a99a2
Tags
vulnerability
zero-day
webshell
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
2025-07-22
CVE-2025-49704
CVE-2025-49706

Date

  • Created: July 22, 2025, 8:34 a.m.
  • Published: July 22, 2025, 8:34 a.m.
  • Modified: July 22, 2025, 9:29 a.m.

Indicators

  • 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
  • 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2
  • 96.9.125.147
Download all indicators here!

Attack Patterns

  • ToolShell

Additional Informations

  • Technology
  • Defense
  • Government
  • Manufacturing

Linked vulnerabilities

CVE-2025-49704

None
Published:

CVE-2025-53770

9.8
    Microsoft
  • Sharepoint Server
Published: July 20, 2025