The Reveal Platform
Intel Name: Inside the toolshell campaign
Date of Scan: July 31, 2025
Impact: High
Summary: We are currently monitoring several threat actors actively targeting on-premises Microsoft SharePoint servers. These attacks utilize a newly uncovered exploit chain referred to as “ToolShell.” The attackers are combining two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two newly discovered zero-day variants (CVE-2025-53770 and CVE-2025-53771) to enable remote code execution. While the known attack involving “spinstall0.aspx” remains a reference point, in-the-wild exploitation is rapidly increasing. This blog post explores real-world incidents stemming from this ongoing wave of intrusions.
