Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified

July 21, 2025, 11:57 a.m.

Description

This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-53771, combining two previously known but unpatched vulnerabilities. The attackers exploit ToolPane.aspx via unauthenticated HTTP requests, dropping a custom ASPX webshell (spinstall0.aspx) into the SharePoint site.

External References

https://otx.alienvault.com/pulse/687e1326defc04da82d0b809
https://research.eye.security/sharepoint-under-siege/
Tags
exploit
vulnerability
webshell
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
toolshell

Date

  • Created: July 21, 2025, 10:15 a.m.
  • Published: July 21, 2025, 10:15 a.m.
  • Modified: July 21, 2025, 11:57 a.m.

Attack Patterns