A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-53770, is being actively exploited in on-premises Microsoft SharePoint Server environments worldwide. The Dutch cybersecurity firm Eye Security first identified large-scale exploitation of this flaw on July 18, 2025, prompting urgent warnings from Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability allows unauthenticated attackers to gain full control over affected systems, posing a significant threat to organizations.
Tracked as "ToolShell," CVE-2025-53770 is a variant of previously disclosed vulnerabilities, CVE-2025-49706 and CVE-2025-49704. It stems from the deserialization of untrusted data, enabling threat actors to execute arbitrary code over a network without requiring authentication. The exploit chain behind "ToolShell" was initially demonstrated at the Pwn2Own Berlin hacking contest in May 2025, highlighting its sophisticated nature.
Successful exploitation of CVE-2025-53770 grants attackers comprehensive access to SharePoint content, including file systems and internal configurations. This allows for the exfiltration of sensitive data, deployment of persistent backdoors, and theft of cryptographic keys. The vulnerability specifically impacts on-premises versions of SharePoint Server 2016, 2019, and Subscription Edition; Microsoft's cloud-based SharePoint Online service is not affected. Reports indicate over 54 organizations have already been compromised.
Microsoft has acknowledged the active attacks and released customer guidance, advising immediate action. While some patches were included in the July 2025 security update cycle, a full patch for CVE-2025-53770 may still be under development for certain versions, such as SharePoint 2016. CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, urging all organizations to apply available security updates, restrict external access, search for malicious webshells, review IIS logs, and deploy endpoint detection and response (EDR) solutions.
Eye Security, a cybersecurity and insurtech firm founded by former Dutch intelligence services experts, played a crucial role in bringing this active exploitation to light. Their detailed analysis and technical reporting, widely recommended by cybersecurity professionals, provided critical insights into the "ToolShell" attack chain and actionable mitigation steps. The firm specializes in providing enterprise-level cybersecurity products and incident response services to mid-market businesses across Europe.