Official Published Documentation
Vendor List
Microsoft
Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
CISA
CISA Adds One Known Exploited Vulnerability, CVE-2025-53770 “ToolShell,” to Catalog https://www.cisa.gov/news-events/alerts/2025/07/20/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-catalog
SentinelOne
SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/
Qualys
ToolShell Zero-day: Microsoft Rushes Emergency Patch for Actively Exploited SharePoint Vulnerabilities https://blog.qualys.com/vulnerabilities-threat-research/2025/07/21/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities
Arctic Wolf
CVE-2025-53770: Widespread Exploitation of ToolShell RCE Vulnerability Observed in Microsoft SharePoint On-Premises https://arcticwolf.com/resources/blog/cve-2025-53770/
Varonis
ToolShell: A SharePoint RCE chain actively exploited https://www.varonis.com/blog/toolshell-sharepoint-rce
Cisco Talos
ToolShell: Details of CVEs affecting SharePoint servers https://blog.talosintelligence.com/toolshell-affecting-sharepoint-servers/
Symantec
ToolShell: Critical SharePoint Zero-Day Exploited in the Wild https://www.security.com/threat-intelligence/toolshell-zero-day-sharepoint-cve-2025-53770
Sophos
SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild https://news.sophos.com/en-us/2025/07/21/sharepoint-toolshell-vulnerabilities-being-exploited-in-the-wild/
Cyberark
Responding to ToolShell: A Microsoft SharePoint zero-day vulnerability https://www.cyberark.com/resources/blog/responding-to-toolshell-a-microsoft-sharepoint-zero-day-vulnerability
Cloudflare
Cloudflare protects against critical SharePoint vulnerability, CVE-2025-53770 https://blog.cloudflare.com/cloudflare-protects-against-critical-sharepoint-vulnerability-cve-2025-53770/
Affected Versions
| Product | Security Update link |
| Microsoft SharePoint Server Subscription Edition | Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center |
| Microsoft SharePoint Server 2019 | Download Security Update for Microsoft SharePoint 2019 (KB5002754) from Official Microsoft Download CenterSecurity Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753) |
| Microsoft SharePoint Server 2016 | Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760)Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759) |
CVEs
- CVE-2025-49706
- CVE-2025-53770
IOCs to hunt for
*depending on your environment, payloads may either be exact strings OR ‘{keyword} contains’
| Activity from IP(s) between July 18-19, 2025 | 107.191.58[.]76 104.238.159[.]149 96.9.125[.]147 |
| POST Request | /_layouts/15/ToolPane.aspx?DisplayMode=Edit |
| Folder Path | microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS |
| Folder Path | microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS |
| File Name | spinstall0 |
| Initiating Process File Name | w3wp.exe |
| Base64 Encoded CLI Arguments | Base64: c3BpbnN0YWxsMA== Plaintext: spinstall0 |
| Base64 Encoded CLI Arguments | Base64: QzpcUFJPR1JBfjFcQ09NTU9OfjFcTUlDUk9TfjFcV0VCU0VSfjFcMTVcVEVNUExBVEVcTEFZT1VUUw== Plaintext: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS |
| Base64 Encoded CLI Arguments | Base64: QzpcUFJPR1JBfjFcQ09NTU9OfjFcTUlDUk9TfjFcV0VCU0VSfjFcMTZcVEVNUExBVEVcTEFZT1VUUw== Plaintext: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUT |