The recent zero-day attacks exploit chained vulnerabilities in Microsoft SharePoint, specifically CVE-2025-53770 and CVE-2025-53771, allowing remote code execution. Despite Microsoft’s patches, threat actors continue to exploit unpatched systems, targeting critical organizations worldwide. #ToolShell #SharePointVulnerabilities
Keypoints
- Widespread attacks against SharePoint servers began in July, exploiting newly identified CVEs.
- Threat actors bypass Microsoft patches, exploiting unpatched on-premises SharePoint instances.
- Initial attacking phases targeted high-value organizations in critical sectors, followed by opportunistic activity.
- There is ongoing confusion over whether CVE-2025-53770 is chained with CVE-2025-53771 in the wild.
- Organizations are advised to apply patches and rotate cryptographic keys to mitigate risks.