{
  "name": "ToolShell Exploit: Critical SharePoint Zero-Day Threatens Global Enterprises",
  "slug": "toolshell-exploit-critical-sharepoint-zero-day-threatens-global-enterprises",
  "description": "A zero-day exploit chain named 'ToolShell' is actively targeting on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cryptographic keys, enabling persistent access even after patches are applied. The threat has evolved to use an in-memory payload, making traditional detection methods unreliable. Chinese state-sponsored threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been exploiting these vulnerabilities since July 7, 2025. The campaign's impact is significant, with nearly 5% of scanned organizations vulnerable and over 400 confirmed victims.",
  "published": "2025-08-14T20:16:33+00:00",
  "created_at": "2025-08-14T20:16:33+00:00",
  "modified_at": "2025-08-15T10:38:02+00:00",
  "created_at_opencti": "2025-08-14T20:16:33+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-14",
    "CVE-2025-49704",
    "CVE-2025-49706",
    "CVE-2025-53770",
    "CVE-2025-53771",
    "chinese threat actors",
    "cryptographic keys",
    "exploit chain",
    "in-memory payload",
    "sharepoint",
    "toolshell",
    "zero-day"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "188.130.206.168"
      },
      {
        "id": "",
        "name": "45.191.66.77"
      },
      {
        "id": "",
        "name": "206.166.251.228"
      },
      {
        "id": "",
        "name": "96.9.125.147"
      },
      {
        "id": "",
        "name": "30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27"
      },
      {
        "id": "",
        "name": "3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997"
      },
      {
        "id": "",
        "name": "92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"
      },
      {
        "id": "",
        "name": "8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:f57d1cbe6342f511",
        "name": "ToolShell",
        "slug": "toolshell"
      }
    ],
    "intrusion_sets": [
      {
        "id": "fdc703d5-4a78-4482-9988-6700036028a9",
        "name": "Linen Typhoon, Violet Typhoon, Storm-2603",
        "slug": "linen-typhoon-violet-typhoon-storm-2603"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-53771"
      },
      {
        "id": "",
        "name": "CVE-2025-53770"
      },
      {
        "id": "",
        "name": "CVE-2025-49706"
      },
      {
        "id": "",
        "name": "CVE-2025-49704"
      }
    ]
  },
  "external_refs": [
    "https://www.recordedfuture.com/blog/toolshell-exploit-chain-thousands-sharepoint-servers-risk",
    "https://otx.alienvault.com/pulse/689e604111a440e0f4a15f30"
  ]
}