ToolShell: An all-you-can-eat buffet for threat actors
Essential information
- Published
- 12/08/2025 10:45
- Modified
- 12/08/2025 11:19
- Tags
- 2025-08-12 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 apt backdoor china-aligned exploitation msil/webshell.js sharepoint toolshell vulnerability webshell zero-day
- Related entities
- 1 vulnerabilities (cve), 20 observables, 1 intrusion sets (apt), 4 techniques (mitre), 1 malware, 2 others
Description
A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaining these with previously patched vulnerabilities to bypass authentication and deploy webshells. The attacks have been observed globally, with the US being the most targeted country. Various threat actors, including China-aligned APT groups, have been exploiting ToolShell. A backdoor associated with LuckyMouse was detected on a compromised machine in Vietnam. The ongoing attacks are expected to continue, targeting high-value government organizations and other vulnerable systems.