SharePoint 0-Day RCE Flaw Actively Exploited for Full Server Takeover
gbhackersA devastating new SharePoint vulnerability is being actively exploited in large-scale attacks worldwide, enabling attackers to gain complete control of on-premise servers without authentication.
Security researchers at Eye Security discovered the ongoing campaign on July 18, 2025, revealing a sophisticated exploit chain dubbed “ToolShell” that leverages previously demonstrated Pwn2Own vulnerabilities to achieve remote code execution.
Widespread Exploitation Campaign
The vulnerability, officially designated CVE-2025-53770 by Microsoft, represents a variant of two security flaws (CVE-2025-49706 and CVE-2025-49704) that were initially demonstrated at Pwn2Own Berlin in May 2025.
| Attribute | Details |
| CVE Identifier | CVE-2025-53770 |
| Related CVEs | CVE-2025-49706, CVE-2025-49704 |
| Vulnerability Type | Remote Code Execution (RCE) Chain |
| CVSS Score | Not yet assigned |
| Affected Systems | SharePoint On-Premise Servers |
Eye Security’s analysis of over 8,000 SharePoint servers worldwide revealed dozens of compromised systems, with attack waves occurring around 18:00 UTC on July 18 and 07:30 UTC on July 19.
The exploitation timeline suggests attackers ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE