A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaining these with previously patched vulnerabilities to bypass authentication and deploy webshells. The attacks have been observed globally, with the US being the most targeted country. Various threat actors, including China-aligned APT groups, have been exploiting ToolShell. A backdoor associated with LuckyMouse was detected on a compromised machine in Vietnam. The ongoing attacks are expected to continue, targeting high-value government organizations and other vulnerable systems. Author: AlienVault
Related Tags:
MSIL/Webshell.JS
cve-2025-49706
cve-2025-49704
toolshell
cve-2025-53770
cve-2025-53771
exploitation
Zero-Day
vulnerability
Associated Indicators:
F5B60A8EAD96703080E73A1F79C3E70FF44DF271
02B4571470D83163D103112F07F1C434
45.77.155.170
173.239.247.32
83.136.182.237
2.56.190.139
64.176.50.109
149.28.17.188
141.164.60.10