Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified

SUMMARY :

This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-53771, combining two previously known but unpatched vulnerabilities. The attackers exploit ToolPane.aspx via unauthenticated HTTP requests, dropping a custom ASPX webshell (spinstall0.aspx) into the SharePoint site.

OPENCTI LABELS :

exploit,rce,vulnerability,webshell,sharepoint,cve-2025-53771,cve-2025-53770,on-premise,toolshell


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified