A new zero-day exploit campaign is actively targeting Microsoft SharePoint Server, raising urgent concerns for enterprises running on-prem environments. Dubbed “ToolShell” by researchers at Ontinue, the attack chain enables unauthenticated remote code execution and has already been observed in the wild. Security teams are being urged to respond quickly, as this campaign shows signs of deliberate targeting and post-compromise persistence.
At the core of the attack is CVE-2025-53770, a critical vulnerability affecting SharePoint Server. This flaw, which received a CVSS score of 9.8, allows attackers to execute arbitrary code without authentication, potentially giving them full control over the system. Microsoft released a patch in early July, but researchers found that threat actors are chaining this flaw with two others – CVE-2025-49704 and CVE-2025-49706 – to bypass available protections. The continued exploitation of the patched systems suggests that existing fixes may not be fully effective against evolving attack methods.
The Exploit Chain: How CVE-2025-49704 and CVE-2025-49706 Fit In
The ToolShell campaign relies on a chained exploitation method, beginning with CVE-2025-49704, a code injection vulnerability that allows attackers to manipulate SharePoint's internal processing. This flaw provides the initial foothold, giving adversaries a way to insert malicious logic into otherwise trusted components of the platform.
From there, CVE-2025-49706 is used to escalate access and execute arbitrary code, effectively unlocking full system-level privileges. When combined with the zero-day CVE-2025-53770, these flaws form a powerful sequence: initial access, code injection, and remote control. This chaining approach not only bypasses earlier patch mechanisms but also enables attackers to establish persistence that puts affected systems at long-term risk.
What ToolShell Does: Backdoors and Key Theft
How is this possible? Once attackers gain access through the ToolShell chain, they move quickly to deploy persistent backdoors and extract sensitive data. Ontinue researchers observed the use of stealthy PowerShell scripts to create hidden user accounts and implant remote access tools that survive reboots and system scans. These tactics are designed to give attackers long-term control over compromised environments.
One of the most damaging aspects of the ToolShell campaign is its ability to steal cryptographic keys from SharePoint servers. These keys are often used to encrypt data, sign tokens, or authenticate services. If exfiltrated, they can be reused to impersonate users, decrypt sensitive information, or pivot deeper into an organization’s infrastructure. This makes the key theft not just a localized threat, but a potential gateway to full enterprise compromise.
Microsoft’s Response and the Patch Gap
Microsoft released initial patches for CVE-2025-53770 and its associated flaws as part of its July security update, aiming to block the ToolShell exploit chain. However, attackers quickly adapted, using alternative chaining methods that allowed them to bypass the original fixes.
In response, Microsoft published updated guidance that includes stricter access controls, enhanced audit logging, and recommendations for isolating vulnerable systems. The situation represents a persistent gap between patch deployment and real-world exploit activity.
“Software security is a very difficult problem for organizations to solve,” said Thomas Richards, Infrastructure Security Practice Director at BlackDuck. “Large codebases which consist of legacy code increase that challenge as the original software wasn’t written with modern secure code guidance. Introducing a fix can sometimes have other implications if the original vulnerability isn’t fully resolved.”
CISA Mandate: Federal Agencies on High Alert
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively used in real-world attacks. This designation carries significant weight, as KEV-listed vulnerabilities are prioritized for mandatory remediation across all U.S. federal civilian executive branch systems. In this case, CISA has issued a Binding Operational Directive requiring agencies to patch affected SharePoint servers by July 25, 2025.
Along with the directive, CISA released detailed mitigation guidance and encouraged federal IT teams to review Microsoft’s updated detection rules and logging recommendations. The agency stressed the importance of rapid action due to the active exploitation and potential for lateral movement within federal networks. By placing CVE-2025-53770 on the KEV list, CISA is urging both public and private sector organizations to treat the vulnerability as a top priority.
Why SharePoint Online Is Safe But On-Premises Isn’t
ToolShell does not affect SharePoint Online, which benefits from Microsoft’s centralized security controls and continuous patching. The exploit chain specifically targets on-premises SharePoint Server environments, where organizations are responsible for applying updates and configuring access controls. This distinction has become a recurring theme in recent zero-day campaigns, where attackers prefer to target unpatched or misconfigured self-hosted systems.
The incident reflects a larger challenge for hybrid IT environments. Many enterprises rely on legacy infrastructure that lacks the automation and visibility of cloud platforms. As vulnerabilities like CVE-2025-53770 show, on-premises systems often lag behind in both detection and response. Without robust patch management and segmentation, these environments can quickly become entry points for advanced threat actors looking to establish long-term access.
Urgent Action Steps for Security Teams
Security teams should confirm whether their SharePoint environments are running vulnerable versions and immediately review systems for indicators of compromise. This includes unusual PowerShell execution, unexpected DLL files, or outbound connections to known ToolShell infrastructure. Microsoft has issued updated detection signatures and hunting queries to assist defenders.
In addition to patching, organizations should review SharePoint permissions, disable unused features, and remove outdated components. Network segmentation, least privilege enforcement, and application allowlisting can all help reduce exposure. Continuous monitoring and regular patch validation remain essential. As the ToolShell campaign shows, attackers are quick to evolve and will exploit any delays or gaps in remediation.
Industry experts have other recommendations, too. “When running your own services on-premises, ask if they truly need to be exposed to the internet,” said Trey Ford, Chief Information Security Officer at Bugcrowd. “Reducing your attack surface is always wise, so take steps to minimize the number of hosts and services you have available to public or untrusted users.”
Other insiders urge a more aggressive approach. “We need to move from firefighting to proactive security posture management,” said Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint. “Organizations can't afford to wait for vendors to patch vulnerabilities after they've been exploited. They need to implement data minimization strategies, robust lifecycle management, and continuous DSPM to identify and mitigate risks before attackers can exploit them.”
Another Wake-Up Call for On-Prem Environments
The ToolShell campaign illustrates how attackers continue to exploit weaknesses in on-prem infrastructure through chained vulnerabilities and creative workarounds. By combining multiple flaws, threat actors were able to bypass initial patches and achieve full system compromise. It is just another example of how even well-maintained environments can be exposed if gaps persist between updates and enforcement.
For hybrid enterprises, the lesson is clear: legacy systems require more than occasional patching. They demand continuous scrutiny, clear visibility into threat activity, and readiness to adapt as attackers evolve. As cloud platforms adopt stronger baseline protections, on-prem environments will remain attractive targets unless organizations treat them with the same urgency and rigor as cloud-native assets.
