ToolShell Exploit: Critical SharePoint Zero-Day Threatens Global Enterprises
Essential information
- Published
- 14/08/2025 22:16
- Modified
- 15/08/2025 12:38
- Tags
- 2025-08-14 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 chinese threat actors cryptographic keys exploit chain in-memory payload sharepoint toolshell zero-day
- Related entities
- 4 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware
Description
A zero-day exploit chain named 'ToolShell' is actively targeting on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cryptographic keys, enabling persistent access even after patches are applied. The threat has evolved to use an in-memory payload, making traditional detection methods unreliable. Chinese state-sponsored threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been exploiting these vulnerabilities since July 7, 2025. The campaign's impact is significant, with nearly 5% of scanned organizations vulnerable and over 400 confirmed victims.