The Reveal Platform
Intel Name: Toolshell unleashed: decoding the sharepoint attack chain
Date of Scan: September 5, 2025
Impact: High
Summary: A surge in active exploitation is targeting newly revealed vulnerabilities in Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771). Known collectively as ToolShell, these flaws affect self-hosted versions of SharePoint Server 2016, 2019, and the Subscription Edition, allowing unauthenticated remote code execution and security bypasses. While SharePoint Online (part of Microsoft 365) is not impacted, self-managed SharePoint instances—particularly in sectors like government, healthcare, education, and enterprise—face significant risk. The threat level increased after proof-of-concept (PoC) exploits were publicly released, quickly followed by real-world attacks.
