{
  "name": "Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified",
  "slug": "toolshell-large-scale-exploitation-of-new-sharepoint-rce-vulnerability-chain-identified",
  "description": "This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-53771, combining two previously known but unpatched vulnerabilities. The attackers exploit ToolPane.aspx via unauthenticated HTTP requests, dropping a custom ASPX webshell (spinstall0.aspx) into the SharePoint site.",
  "published": "2025-07-21T08:15:02+00:00",
  "created_at": "2025-07-21T08:15:02+00:00",
  "modified_at": "2025-07-21T09:57:42+00:00",
  "created_at_opencti": "2025-07-21T08:15:02+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-21",
    "CVE-2025-53770",
    "CVE-2025-53771",
    "exploit",
    "on-premise",
    "rce",
    "sharepoint",
    "toolshell",
    "vulnerability",
    "webshell"
  ],
  "related_entities": {
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/687e1326defc04da82d0b809",
    "https://research.eye.security/sharepoint-under-siege/"
  ]
}