ToolShell: An all-you-can-eat buffet for threat actors

SUMMARY :

A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaining these with previously patched vulnerabilities to bypass authentication and deploy webshells. The attacks have been observed globally, with the US being the most targeted country. Various threat actors, including China-aligned APT groups, have been exploiting ToolShell. A backdoor associated with LuckyMouse was detected on a compromised machine in Vietnam. The ongoing attacks are expected to continue, targeting high-value government organizations and other vulnerable systems.

OPENCTI LABELS :

apt,backdoor,exploitation,zero-day,vulnerability,webshell,sharepoint,cve-2025-53771,cve-2025-53770,toolshell,cve-2025-49704,cve-2025-49706,msil/webshell.js,china-aligned


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


ToolShell: An all-you-can-eat buffet for threat actors