GreenboneOS: ToolShell: Patch Bypass Prompts Emergency Alerts for Microsoft SharePoint
Saturday, July 19th, saw a global cybersecurity alert go out as flaws in Microsoft SharePoint Server became the subject of emergency alerts worldwide. Four CVEs are involved and collectively dubbed "ToolShell"; two published in early July already had patches available, but after being bypassed, two new CVEs were issued.
The flaws can allow unauthenticated remote code execution (RCE) at the Windows SYSTEM level. So far, mass exploitation attacks have breached the US Nuclear Weapons Agency and over 400 other organizations including multi-national corporations, healthcare and other government services, financial service providers, and energy critical infrastructure.
Active exploitation was first observed by Eye Security and three CVEs have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and tied to ransomware attacks by Chinese state-sponsored threat actors. Several public proof of concept (PoC) exploit kits are available, while National CERT advisories have been issued from many countries including CERT-EU [4], the Netherlands [5], New Zealand [6], Canada [7], and Germany [8].
The Shadowserver Foundation has observed over 9,000 public facing SharePoint IP addresses globally. OPENVAS SECURITY INTELLIGENCE by Greenbone includes version detection tests [9][10][11][12], a direct active check [13] for all ToolShell CVEs, and an active check for associated indicators of compromise (IoC) [14] in our ENTERPRISE FEED.
A Brief Timeline of ToolShell Events
The ToolShell CVEs in Microsoft SharePoint When the original "ToolShell" flaws (CVE-2025-49706 and ) were first exposed in May, 2025, no technical details were published with the hack, but the disclosure led to official patches by mid-July. However, security researchers soon observed attacks bypassing fully patched servers.
Two new vulnerabilities have been published in response (CVE-2025-53770 and CVE-2025-53771). Here are brief details for each ToolShell CVE:
Exploiting ToolShell Allows Unauthenticated RCE on Vulnerable Microsoft SharePoint Servers
Here’s how the attack unfolds: Exploiting ToolShell allows unauthenticated remote code execution (RCE) on vulnerable Microsoft SharePoint Servers. Users must apply the latest patches as soon as possible.
Mitigating ToolShell Attacks Against Microsoft SharePoint
ToolShell affects on-premises editions of Microsoft Office SharePoint 2016, 2019, Subscription Edition as well as end-of-life (EOL) editions such as SharePoint Server 2010 and 2013. Users must apply the latest patches as soon as possible.
Mitigating ToolShell Attacks Against Microsoft SharePoint requires users to take several steps:
Enable AMSI with Full Mode and use Microsoft Defender Antivirus to prevent successful attacks.
Defenders should also assume their systems have been compromised and hunt for IoC identified in observed campaigns.
Risk and Prevention
The ToolShell attack chain puts users at risk of unauthenticated RCE. The attack is an authentication bypass followed by flawed deserialization for RCE.
Although patches for CVE-2025-49704 and CVE-2025-49706 were issued in July 2025, new variants (CVE-2025-53770, CVE-2025-53771) have been discovered and are now being actively exploited globally. Defenders must apply all available updates as soon as they become available, remove any persistent malware infection installed by attackers, rotate machine keys, and verify resilience.
OPENVAS SECURITY INTELLIGENCE can swiftly and reliably detect vulnerable instances of Microsoft SharePoint and over 180,000 additional additi Contact Test Now Buy Here