New “ToolShell” Exploit Targets SharePoint Servers for Full Takeover
gbhackersFortiGuard Labs has identified a critical new exploit chain dubbed “ToolShell” that is actively being used by multiple threat actors to target on-premises Microsoft SharePoint servers.
This sophisticated attack combines two previously patched vulnerabilities with two fresh zero-day variants to achieve complete remote code execution and system takeover.
| CVE Number | Status | Description |
| CVE-2025-49704 | Previously Patched | SharePoint vulnerability used in exploit chain |
| CVE-2025-49706 | Previously Patched | SharePoint vulnerability used in exploit chain |
| CVE-2025-53770 | Zero-Day | New SharePoint vulnerability for remote code execution |
| CVE-2025-53771 | Zero-Day | New SharePoint vulnerability for remote code execution |
The Cybersecurity and Infrastructure Security Agency (CISA) has already added these CVEs to its catalog of Known Exploited Vulnerabilities due to the escalating threat level and active exploitation in the wild.
The ToolShell campaign represents a significant escalation in SharePoint-targeted attacks, leveraging a combination of four distinct vulnerabilities to bypass security measures and establish persistent access to enterprise servers.
Copyright of this story solely belongs to gbhackers . To see the full text click HERE