Attention all security professionals!
A critical zero-day SharePoint remote code execution (RCE) vulnerability, tracked as CVE-2025-53770 and nicknamed “ToolShell,” is currently under active exploitation. This vulnerability affects on-premise Microsoft SharePoint servers, allowing unauthenticated attackers to gain full access and execute arbitrary code remotely. Despite public guidance from Microsoft and an alert from CISA, a full security patch is not yet available.
Key findings:
- A critical zero-day vulnerability (CVE-2025-53770 ) in SharePoint on-prem is actively being exploited in the wild.
- Dubbed “ToolShell,” the campaign enables unauthorized access to on-prem SharePoint servers, posing a serious risk to corporate environments
- Check Point Research identified the first signs of the exploitation on July 7th.
- Since then, we’ve confirmed dozens of compromise attempts across government, telecommunications, and software sectors in North America and Western Europe.
- Alarmingly, we see that the attackers also leverage known Ivanti Endpoint vulnerabilities throughout the campaign.
What did Check Point Research find?
Check Point Research found that the first exploitation attempts were observed on July 7th. The target of the attack is a major Western government. The attacks only intensified on July 18th and 19th, using infrastructure tied to the following IP addresses:
- 104.238.159.149
- 107.191.58.76
- 96.9.125.147
One of these IPs was also associated with exploitation attempts against a related Ivanti EPMM vulnerability chain (CVE-2025-4427 and CVE-2025-4428).
The attack vector involves a custom webshell that parses parameters from VIEWSTATE payloads, enabling insecure deserialization attacks. Targeted sectors include:
- Government
- Software
- Telecommunications
More details are in the company blog post for the matter
