SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

SUMMARY :

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been observed, each with unique tradecraft and objectives. Targets include organizations in technology consulting, manufacturing, critical infrastructure, and professional services. The exploitation enables access to SharePoint's ToolPane functionality without authentication, leading to code execution via uploaded or in-memory web components. Different webshells and techniques were employed, including a custom password-protected ASPX webshell and a reconnaissance utility targeting cryptographic material. Immediate patching and following Microsoft's recommendations are strongly advised.

OPENCTI LABELS :

remote code execution,zero-day,vulnerability,webshell,sharepoint,cve-2025-53771,cve-2025-53770,toolshell,cve-2025-49704,cve-2025-49706


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers