Multiple Hacker Groups Exploit SharePoint 0-Day Vulnerability in the Wild

Microsoft has confirmed that a pair of zero-day vulnerabilities in on-premises SharePoint Server, collectively dubbed ToolShell, are under active exploitation by diverse threat actors ranging from opportunistic cybercriminals to sophisticated nation-state advanced persistent threat (APT) groups.

ToolShell encompasses CVE-2025-53770, a critical remote code execution (RCE) flaw allowing unauthenticated attackers to execute arbitrary code on vulnerable servers, and CVE-2025-53771, a server spoofing vulnerability that facilitates bypassing authentication mechanisms like multi-factor authentication (MFA) and single sign-on (SSO).

These issues exclusively impact supported versions of SharePoint Server 2016, 2019, and Subscription Edition, leaving SharePoint Online in Microsoft 365 unaffected.

Overview of the ToolShell Vulnerabilities

Exploitation began with attackers chaining ToolShell with previously patched vulnerabilities, including CVE-2025-49704 and CVE-2025-49706, to achieve initial access and deploy persistent webshells.

This chain enables threat actors to infiltrate restricted systems, extract sensitive data, and potentially pivot across integrated Microsoft services such as Office, Teams, OneDrive, and Outlook, amplifying ...