CyberSecurityBoard
Sponsor Register Login

ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control

This multi-stage attack combines previously patched vulnerabilities with fresh zero-day exploits to achieve complete system compromise, affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. It embeds a Base64-encoded ASP.NET page that exposes a “?cmd=” parameter, enabling attackers to execute arbitrary system commands through “cmd.exe /c <command>” syntax. The Cybersecurity and Infrastructure Security Agency (CISA) has already added these CVEs to its Known Exploited Vulnerabilities catalog, highlighting the severity of this threat. The attack typically begins with the exploitation of the “spinstall0.aspx” endpoint, allowing attackers to upload configuration data to remote servers. Threat actors are exploiting two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) alongside two newly discovered zero-day variants (CVE-2025-53770 and CVE-2025-53771). It collects critical information including logical drive configurations, machine specifications, CPU core counts, system uptime, and operating system details.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Jul 2025 10:40:21 +0000


Cyber News related to ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control

Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security - In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, ...
1 week ago Krebsonsecurity.com CVE-2025-53770
SharePoint 0-day Vulnerability Exploited in Wild by All Sorts of Hacker Groups - File Indicators of Compromise (IoCs) SHA-1FilenameDetectionDescriptionF5B60A8EAD96703080E73A1F79C3E70FF44DF271spinstall0.aspxMSIL/Webshell.JSWebshell deployed via SharePoint vulnerabilities Network Indicators of Compromise (IoCs) IP ...
3 days ago Cybersecuritynews.com
Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day - Thousands of organizations worldwide face active cyberattacks targeting Microsoft SharePoint servers through two critical vulnerabilities, prompting urgent government warnings and emergency patches. Microsoft released emergency security updates on ...
6 days ago Cybersecuritynews.com CVE-2025-53770
Microsoft SharePoint zero-day exploited in RCE attacks, no patch available - The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 75 companies have already been compromised by the attacks. In May, Viettel Cyber Security researchers ...
1 week ago Bleepingcomputer.com CVE-2025-49706
Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com
Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks - Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. These flaws were fixed as part of the ...
1 week ago Bleepingcomputer.com CVE-2025-53770
SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access - A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed “ToolShell,” enabling attackers to gain complete remote control over vulnerable ...
1 week ago Cybersecuritynews.com CVE-2025-49706
Critical SharePoint RCE Vulnerability Exploited Using Malicious XML Payload Within Web Part - The vulnerability highlights the critical importance of secure deserialization practices in enterprise applications and the need for comprehensive security reviews of complex application frameworks like SharePoint. According to the Viettel Security ...
1 week ago Cybersecuritynews.com
Microsoft Sharepoint ToolShell attacks linked to Chinese hackers - On Monday, after Microsoft released security patches for all impacted SharePoint versions, a CVE-2025-53770 proof-of-concept exploit was also released on GitHub, making it easier for more threat actors and hacking groups to join ongoing attacks. ...
6 days ago Bleepingcomputer.com CVE-2025-53770
ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control - This multi-stage attack combines previously patched vulnerabilities with fresh zero-day exploits to achieve complete system compromise, affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. ...
6 hours ago Cybersecuritynews.com CVE-2025-49704
Microsoft Released an Emergency Security Update to Patch a Critical SharePoint 0-Day Vulnerability - Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting. Microsoft Defender for Endpoint generates specific alerts, including ...
1 week ago Cybersecuritynews.com CVE-2025-53770
Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Vulnerability in the Wild - The tech giant’s Security Response Center reported coordinated attacks targeting internet-facing SharePoint installations using newly disclosed vulnerabilities that enable authentication bypass and remote code execution. Microsoft has released ...
5 days ago Cybersecuritynews.com CVE-2025-53770
New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com
CISA Warns of Chinese Hackers Exploiting SharePoint 0-Day Flaws in Active Exploitation - The attack campaign, dubbed “ToolShell,” leverages a vulnerability chain involving CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution) to gain unauthorized access to on-premises SharePoint servers. Additionally, ...
5 days ago Cybersecuritynews.com CVE-2025-49706
CISA Warns of Microsoft SharePoint server 0-Day RCE Vulnerability Exploited in Wild - CISA has issued an urgent warning about a critical zero-day remote code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that threat actors are actively exploiting in the wild. The vulnerability, tracked as ...
1 week ago Cybersecuritynews.com CVE-2025-53770
US nuclear weapons agency reportedly hacked in SharePoint attacks - Unknown threat actors have reportedly breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. Dutch cybersecurity firm Eye Security first detected the ...
5 days ago Bleepingcomputer.com APT29
US nuclear weapons agency hacked in Microsoft SharePoint attacks - Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. Dutch cybersecurity firm Eye Security first detected the zero-day ...
5 days ago Bleepingcomputer.com APT29
Microsoft: SharePoint servers also targeted in ransomware attacks - Microsoft Threat Intelligence researchers have also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks on Tuesday, days after Dutch cybersecurity firm Eye Security first detected zero-day attacks ...
4 days ago Bleepingcomputer.com LockBit CVE-2025-49706
Microsoft Probes Leak in Early Alert System as Chinese Hackers Exploit SharePoint Vulnerabilities - At least a dozen Chinese companies currently participate in the 17-year-old MAPP program, which provides cybersecurity vendors with advance notice of vulnerabilities – typically 24 hours before public disclosure, with some trusted partners ...
2 days ago Cybersecuritynews.com
CVE-2015-0085 - Use-after-free vulnerability in Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Office 2013 Gold and SP1, Word 2013 Gold and SP1, Office 2013 RT Gold ...
6 years ago
US Nuclear Weapons Agency Breached by Hackers Using SharePoint 0-Day Vulnerability - Chinese government-affiliated hacking groups leveraged a zero-day exploit affecting on-premises SharePoint installations to infiltrate over 50 organizations, including the agency responsible for maintaining the Navy’s nuclear submarine ...
5 days ago Cybersecuritynews.com
CVE-2020-16944 - <p>This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.</p> ...
1 year ago
New SharePoint flaws help hackers evade detection when stealing files - Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. Microsoft SharePoint is a web-based collaborative platform that integrates with ...
1 year ago Bleepingcomputer.com
New HeadCrab Malware Hijacks 1,200 Redis Servers - Since September 2021, over a thousand vulnerable Redis servers online have been infected by a stealthy malware dubbed "HeadCrab", designed to build a botnet that mines Monero cryptocurrency. At least 1,200 servers have been infected by the HeadCrab ...
2 years ago Heimdalsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)