Threat Research

ToolShell: Critical SharePoint Zero-Day Exploited in the Wild

Symantec
ToolShell: Critical SharePoint Zero-Day Exploited in the Wild

A zero-day vulnerability named ToolShell (CVE-2025-53770) in on-premises SharePoint servers allows unauthenticated remote code execution and access to all content, with partial patches released by Microsoft. Related vulnerabilities (CVE-2025-53771 and CVE-2025-49704) have also been addressed, and users are advised to update SharePoint and monitor specific indicators of compromise. #ToolShell #SharePoint #CVE202553770

Keypoints

  • Microsoft partially patched the zero-day vulnerability CVE-2025-53770 affecting on-premises SharePoint servers, except for the 2016 version which remains unpatched.
  • The ToolShell vulnerability enables unauthenticated attackers to remotely execute code and access all files and content on vulnerable SharePoint servers.
  • This zero-day is a variant of a recently patched vulnerability CVE-2025-49704 from July 2025, which is already blocked by Symantec products.
  • A related path traversal vulnerability CVE-2025-53771 was also patched, allowing authorized attackers network spoofing capabilities; it is a variant of CVE-2025-49706.
  • Microsoft reported active exploitation of these vulnerabilities but did not disclose the threat actors behind the attacks.
  • CISA recommends monitoring POST requests to “/_layouts/15/ToolPane.aspx?DisplayMode=Edit” and scanning specific IP addresses linked to scanning and exploitation activities.
  • Symantec Endpoint products detect and block malicious files related to these vulnerabilities, with updated network protections available.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – ToolShell allows unauthenticated remote code execution on SharePoint servers (“gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code”).
  • [T1090] Proxy – The path traversal vulnerability CVE-2025-53771 enables network spoofing, allowing attackers to disguise their network traffic (“it allows an authorized attacker to perform spoofing over a network”).

Indicators of Compromise

  • [IP Addresses] IP addresses involved in scanning and exploitation activities – 107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147, among others.
  • [HTTP Request] Suspicious POST endpoint to monitor – /_layouts/15/ToolPane.aspx?DisplayMode=Edit.

Read more: https://www.security.com/threat-intelligence/toolshell-zero-day-sharepoint-cve-2025-53770

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint