A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments. This vulnerability allows unauthenticated remote code execution, posing a significant threat to organizations worldwide. SentinelOne has detected active exploitation and provides defensive measures. ToolShell's severity is characterized by its zero-day status, high CVSS score of 9.8, no authentication requirement, and remote code execution capability. SentinelOne's defense strategy includes early identification, out-of-the-box detection logic, IOC integration, hunting queries, and proactive detection through Singularity Vulnerability Management. Recommended mitigation steps include isolating SharePoint instances, enabling AMSI, applying patches, integrating IOCs, monitoring for suspicious behavior, and conducting retroactive threat hunting.