FortiGuard Labs has identified a new exploit chain called 'ToolShell' targeting on-premises Microsoft SharePoint servers. This attack combines two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. The campaign uses sophisticated tools like GhostWebShell, a fileless ASP.NET web shell for remote access, and KeySiphon, which collects system information and application secrets. Active exploitation demonstrates SharePoint's status as a high-value target and the rapid weaponization of vulnerabilities. FortiGuard Labs has released protective measures and recommends swift patching, layered security, and thorough log review to mitigate risks.