Confusion over whether ToolShell attacks chain CVE-2025-53770 and CVE-2025-53771
Details continue to emerge on the zero-day attacks targeting Microsoft SharePoint servers, but some confusion remains over which vulnerabilities have been exploited.
Microsoft and Eye Security warned over the weekend that SharePoint servers had been targeted in zero-day attacks. No patches had been available when news of the exploitation came to light.
Widespread attacks started on July 18, days after researchers demonstrated how two recently patched vulnerabilities, CVE-2025-49706 and CVE-2025-49704, could be chained for unauthenticated remote code execution on SharePoint Server instances as part of an exploit chain they named ToolShell.
It appears that threat actors have bypassed Microsoft’s patches and started exploiting the vulnerabilities in the wild. In response, the tech giant assigned two new CVEs: CVE-2025-53770, which is a variation of CVE-2025-49704, and CVE-2025-53771, a variation of CVE-2025-49706.
Microsoft has since patched CVE-2025-53770 and CVE-2025-53771 in each of the impacted versions of SharePoint Server, including SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016. Only on-premises installations are vulnerable to attacks.
Initial reports indicated that CVE-2025-53770 had been exploited in the attacks, but then the cybersecurity industry suggested that the vulnerability may have been chained with CVE-2025-53771 (or possibly CVE-2025-49706).
SentinelOne on Monday reported seeing the first ToolShell attacks on July 17, before Microsoft and Eye Security issued their warnings. This was the first of three distinct activity clusters observed by the security firm.
The first attacks seen by SentinelOne were aimed at carefully selected targets, specifically organizations that appeared to have strategic value or elevated access. Victims were seen in sectors such as critical infrastructure, manufacturing, tech consulting, and professional services.
The second and third activity clusters, seen by the company after news of ToolShell attacks broke, were opportunistic and likely not related to the first wave of attacks. SentinelOne has already seen state-sponsored actors conducting reconnaissance and early-stage exploitation activities.
“We expect broader exploitation attempts to accelerate, driven by both state-linked and financially motivated actors seeking to capitalize on unpatched systems,” the security firm warned.
When news of the attacks broke, the non-profit cybersecurity organization ShadowServer reported seeing over 9,000 internet-exposed instances of SharePoint, a majority in North America and Europe. It’s unclear how many of them had been vulnerable, but CrowdStrike reported seeing hundreds of servers being attacked between July 18 and July 21.
The Washington Post learned from several sources that the attacks targeted SharePoint servers housed by energy companies, universities, an Asian telecoms company, as well as government agencies in the United States and Europe.
SentinelOne has not attributed the attacks to any threat groups, citing ongoing research, but The Washington Post learned from sources in the government and private sectors that the early ToolShell attacks appear to have been conducted by unnamed China-linked threat actors.
On Tuesday morning Microsoft confirmed that Chinese state-sponsored threat actors tracked as Linen Typhoon and Violet Typhoon have been targeting the zero-days, with attack attempts seen as early as July 7.
Confusion over chaining of CVE-2025-53770 and CVE-2025-53771
There is still a lot of confusion on whether CVE-2025-53770 has been chained with CVE-2025-53771 (or CVE-2025-49706) in these attacks.
Microsoft’s advisories for CVE-2025-53771 and CVE-2025-49706 list both vulnerabilities as not exploited and the tech giant has refused to share any clarifications when contacted by SecurityWeek.
The public blog posts of several cybersecurity companies indicated that the flaws have been chained, but when contacted by SecurityWeek, Eye Security and others said they could not independently confirm that CVE-2025-53770 has been chained with CVE-2025-53771.
At the time of writing, blog posts from Trend Micro, Palo Alto Networks, CrowdStrike and SentinelOne suggest or state that both vulnerabilities have been exploited in the wild. We have reached out to each of them for clarifications and will update this article if they respond.
Google’s Threat Intelligence Group, which was among the first to see widespread exploitation, has not responded to SecurityWeek’s request for clarifications on the matter.
Security firm WatchTowr told SecurityWeek after this article was published, “The exploitation attempts we have seen chain both the CVE-2025-53771 Referer header spoofing vulnerability to bypass authentication, and the CVE-2025-53770 deserialization vulnerability together, to be able to fully compromise the system.”
Additional details on ToolShell vulnerabilities, exploitation, and mitigations
CVE-2025-53770 has been described as a critical deserialization issue that can be exploited by an unauthenticated attacker to execute code over the network. CVE-2025-53771 is a medium-severity path traversal flaw that allows an authenticated attacker to perform spoofing.
CVE-2025-53770 and CVE-2025-53771 can be chained using a specially crafted request to access the ToolPane functionality in SharePoint (used for website configuration and management), and ultimately to execute arbitrary code.
In the attacks seen in the wild, threat actors planted a webshell and exfiltrated cryptographic secrets that enabled them to gain full access to compromised systems.
Palo Alto Networks said, “Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys”.
CISA has added CVE-2025-53770 to its KEV catalog and instructed government organizations to immediately address it. The agency has also issued an alert for the vulnerability.
Organizations that cannot immediately apply the available patches are advised to enable the Antimalware Scan Interface (AMSI) integration in SharePoint and set it to ‘Full Mode’.
Because the cryptographic keys targeted in these attacks may already be compromised by the time updates or mitigations are deployed, Microsoft recommends rotating them after patches or mitigations are applied.
*updated with comments from WatchTowr and attribution information from Microsoft
Related: Exploited CrushFTP Zero-Day Provides Admin Access to Servers
Related: Fortinet FortiWeb Flaw Exploited in the Wild After PoC Publication
Related: CitrixBleed 2: 100 Organizations Hacked, Thousands of Instances Still Vulnerable
