Toolshell: Large-scale exploitation of new SharePoint RCE…

216.73.216.6

Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified

· Published 21/07/2025 10:15 · Modified 21/07/2025 11:57

Essential information

Published: 21/07/2025 10:15
Modified: 21/07/2025 11:57
Tags: 2025-07-21 CVE-2025-53770 CVE-2025-53771 exploit on-premise rce sharepoint toolshell vulnerability webshell
Related entities: 4 techniques (mitre)

Description

This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-53771, combining two previously known but unpatched vulnerabilities. The attackers exploit ToolPane.aspx via unauthenticated HTTP requests, dropping a custom ASPX webshell (spinstall0.aspx) into the SharePoint site.

External references

https://otx.alienvault.com/pulse/687e1326defc04da82d0b809
https://research.eye.security/sharepoint-under-siege/