CyberSecurityBoard
Sponsor Register Login

ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control

This multi-stage attack combines previously patched vulnerabilities with fresh zero-day exploits to achieve complete system compromise, affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. It embeds a Base64-encoded ASP.NET page that exposes a “?cmd=” parameter, enabling attackers to execute arbitrary system commands through “cmd.exe /c <command>” syntax. The Cybersecurity and Infrastructure Security Agency (CISA) has already added these CVEs to its Known Exploited Vulnerabilities catalog, highlighting the severity of this threat. The attack typically begins with the exploitation of the “spinstall0.aspx” endpoint, allowing attackers to upload configuration data to remote servers. Threat actors are exploiting two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) alongside two newly discovered zero-day variants (CVE-2025-53770 and CVE-2025-53771). It collects critical information including logical drive configurations, machine specifications, CPU core counts, system uptime, and operating system details.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Jul 2025 10:40:21 +0000


Cyber News related to ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control

Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security - In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, ...
5 months ago Krebsonsecurity.com CVE-2025-53770
SharePoint 0-day Vulnerability Exploited in Wild by All Sorts of Hacker Groups - File Indicators of Compromise (IoCs) SHA-1FilenameDetectionDescriptionF5B60A8EAD96703080E73A1F79C3E70FF44DF271spinstall0.aspxMSIL/Webshell.JSWebshell deployed via SharePoint vulnerabilities Network Indicators of Compromise (IoCs) IP ...
5 months ago Cybersecuritynews.com
Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day - Thousands of organizations worldwide face active cyberattacks targeting Microsoft SharePoint servers through two critical vulnerabilities, prompting urgent government warnings and emergency patches. Microsoft released emergency security updates on ...
5 months ago Cybersecuritynews.com CVE-2025-53770
Microsoft SharePoint zero-day exploited in RCE attacks, no patch available - The Microsoft SharePoint zero-day attacks were first identified by Dutch cybersecurity firm Eye Security, which told BleepingComputer that over 75 companies have already been compromised by the attacks. In May, Viettel Cyber Security researchers ...
5 months ago Bleepingcomputer.com CVE-2025-49706
Warlock Ransomware Actors Exploiting SharePoint ToolShell Zero-Day - Warlock ransomware operators have been actively exploiting a zero-day vulnerability in SharePoint ToolShell to advance their malicious campaigns. This zero-day flaw allows attackers to execute arbitrary code and escalate privileges within compromised ...
2 months ago Cybersecuritynews.com CVE-2024-2739 Warlock
ToolShell Vulnerability Could Compromise Networks - The ToolShell vulnerability represents a significant security risk to enterprise networks worldwide. This flaw allows attackers to exploit network devices, potentially leading to unauthorized access and control over critical infrastructure. ...
2 months ago Cybersecuritynews.com CVE-2024-5678 Shadow Hydra
Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com
Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks - Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. These flaws were fixed as part of the ...
5 months ago Bleepingcomputer.com CVE-2025-53770
SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access - A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed “ToolShell,” enabling attackers to gain complete remote control over vulnerable ...
5 months ago Cybersecuritynews.com CVE-2025-49706
Critical SharePoint RCE Vulnerability Exploited Using Malicious XML Payload Within Web Part - The vulnerability highlights the critical importance of secure deserialization practices in enterprise applications and the need for comprehensive security reviews of complex application frameworks like SharePoint. According to the Viettel Security ...
5 months ago Cybersecuritynews.com
ToolShell Gains Traction as a Potent Cyber Espionage Tool - ToolShell, a sophisticated cyber espionage toolkit, is rapidly gaining traction among threat actors due to its advanced capabilities and stealth features. This malware framework enables attackers to conduct persistent surveillance, data exfiltration, ...
2 months ago Infosecurity-magazine.com
SharePoint ToolShell attacks targeted orgs across four continents - Recent cyberattacks leveraging the SharePoint ToolShell have targeted organizations across four continents, highlighting a significant global threat. These attacks exploit vulnerabilities in Microsoft SharePoint to deploy malicious tools that ...
2 months ago Bleepingcomputer.com
Microsoft Sharepoint ToolShell attacks linked to Chinese hackers - On Monday, after Microsoft released security patches for all impacted SharePoint versions, a CVE-2025-53770 proof-of-concept exploit was also released on GitHub, making it easier for more threat actors and hacking groups to join ongoing attacks. ...
5 months ago Bleepingcomputer.com CVE-2025-53770
Microsoft Released an Emergency Security Update to Patch a Critical SharePoint 0-Day Vulnerability - Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting. Microsoft Defender for Endpoint generates specific alerts, including ...
5 months ago Cybersecuritynews.com CVE-2025-53770
ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control - This multi-stage attack combines previously patched vulnerabilities with fresh zero-day exploits to achieve complete system compromise, affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. ...
4 months ago Cybersecuritynews.com CVE-2025-49704
17K+ SharePoint Servers Exposed to Internet - 840 Servers Vulnerable to 0-Day Attacks - A massive exposure of Microsoft SharePoint servers to internet-based attacks has been identified, with over 17,000 servers exposed and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770, according to new findings from ...
4 months ago Cybersecuritynews.com APT3 CVE-2025-53770
Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Vulnerability in the Wild - The tech giant’s Security Response Center reported coordinated attacks targeting internet-facing SharePoint installations using newly disclosed vulnerabilities that enable authentication bypass and remote code execution. Microsoft has released ...
5 months ago Cybersecuritynews.com CVE-2025-53770
Microsoft SharePoint Server 0-Day Hack Hits African Treasury, Companies, and University - The attack specifically targets on-premise SharePoint installations, exploiting previously unknown security flaws that allowed threat actors to infiltrate critical infrastructure systems belonging to government agencies, educational institutions, and ...
4 months ago Cybersecuritynews.com
CISA Warns of Microsoft SharePoint server 0-Day RCE Vulnerability Exploited in Wild - CISA has issued an urgent warning about a critical zero-day remote code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that threat actors are actively exploiting in the wild. The vulnerability, tracked as ...
5 months ago Cybersecuritynews.com CVE-2025-53770
New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com
CISA Warns of Chinese Hackers Exploiting SharePoint 0-Day Flaws in Active Exploitation - The attack campaign, dubbed “ToolShell,” leverages a vulnerability chain involving CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution) to gain unauthorized access to on-premises SharePoint servers. Additionally, ...
5 months ago Cybersecuritynews.com CVE-2025-49706
US nuclear weapons agency reportedly hacked in SharePoint attacks - Unknown threat actors have reportedly breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. Dutch cybersecurity firm Eye Security first detected the ...
5 months ago Bleepingcomputer.com APT29
US nuclear weapons agency hacked in Microsoft SharePoint attacks - Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. Dutch cybersecurity firm Eye Security first detected the zero-day ...
5 months ago Bleepingcomputer.com APT29
Microsoft: SharePoint servers also targeted in ransomware attacks - Microsoft Threat Intelligence researchers have also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks on Tuesday, days after Dutch cybersecurity firm Eye Security first detected zero-day attacks ...
5 months ago Bleepingcomputer.com LockBit CVE-2025-49706

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)