ToolShell: An all-you-can-eat buffet for threat actors
A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaining these with previously patched vulnerabilities to bypass authentication and deploy webshells. The attacks have been observed globally, with the US being the most targeted country. Various threat actors, including China-aligned APT groups, have been exploiting ToolShell. A backdoor associated with LuckyMouse was detected on a compromised machine in Vietnam. The ongoing attacks are expected to continue, targeting high-value government organizations and other vulnerable systems.
Pulse ID: 689b1b3eccb7ac11fb95c4d1
Pulse Link: https://otx.alienvault.com/pulse/689b1b3eccb7ac11fb95c4d1
Pulse Author: AlienVault
Created: 2025-08-12 10:45:18
Be advised, this data is unverified and should be considered preliminary. Always do further verification.