Full Report
The ToolShell bugs are being exploited by cybercriminals and APT groups alike, with the US on the receiving end of 13 percent of all attacks
Analysis Summary
# Incident Report: ToolShell SharePoint Zero-Day Exploitation
## Executive Summary
Organizations globally, including those in the US, are being targeted through active exploitation of two zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in on-premises Microsoft SharePoint servers, collectively dubbed "ToolShell." The attacks are being deployed by both cybercriminals and Advanced Persistent Threat (APT) groups, leveraging unpatched systems for initial access. The primary response involves patching and immediate defense measures against these critical vulnerabilities.
## Incident Details
- **Discovery Date:** Prior to July 25, 2025 (Discovery announced by ESET research findings released on this date)
- **Incident Date:** Ongoing exploitation beginning potentially before July 25, 2025
- **Affected Organization:** Organizations worldwide utilizing on-premises Microsoft SharePoint servers
- **Sector:** Unspecified (All sectors utilizing vulnerable SharePoint installations)
- **Geography:** Global; US is the most-targeted country (13.3% of observed attacks)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing (Specific start time unknown, exploitation is active)
- **Vector:** Exploitation of remote code execution vulnerabilities in on-premises Microsoft SharePoint servers (CVE-2025-53770 and CVE-2025-53771).
- **Details:** Attackers are utilizing these zero-days to gain initial footholds on susceptible servers.
### Lateral Movement
- *(Information not detailed in the provided context, but implied as a standard objective for APT/cybercriminal groups once access is achieved.)*
### Data Exfiltration/Impact
- *(Specific impacts like data stolen or operational damage are not detailed, but the intent is implied by the threat actors involved.)*
### Detection & Response
- **How it was discovered:** ESET research team identified widespread exploitation and released findings on July 25, 2025.
- **Response actions taken:** ESET shared findings with the public and emphasized the need for immediate patching.
## Attack Methodology
- **Initial Access:** Exploitation of SharePoint zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771).
- **Persistence:** *(Not detailed in the context.)*
- **Privilege Escalation:** *(Not detailed in the context.)*
- **Defense Evasion:** *(Attacks leverage zero-day exploits, potentially bypassing current signatures.)*
- **Credential Access:** *(Not detailed in the context.)*
- **Discovery:** *(Implied reconnaissance steps following successful exploitation.)*
- **Lateral Movement:** *(Not detailed in the context.)*
- **Collection:** *(Not detailed in the context.)*
- **Exfiltration:** *(Not detailed in the context.)*
- **Impact:** Gain unauthorized access and potential control over compromised SharePoint infrastructure.
## Impact Assessment
- **Financial:** *(Not estimated.)*
- **Data Breach:** *(Type/volume unknown, but hinges on access gained via SharePoint compromise.)*
- **Operational:** Potential disruption to services reliant on vulnerable on-premises SharePoint installations.
- **Reputational:** Risk of damage to organizations found to be running unpatched, vulnerable software.
## Indicators of Compromise
- **Network indicators:** *(None specified/defanged.)*
- **File indicators:** *(None specified.)*
- **Behavioral indicators:** Observation of exploitation attempts targeting CVE-2025-53770 and CVE-2025-53771.
## Response Actions
- **Containment measures:** Immediately isolating or restricting access to vulnerable SharePoint servers until patched.
- **Eradication steps:** Applying vendor-supplied security updates addressing CVE-2025-53770 and CVE-2025-53771.
- **Recovery actions:** System hardening and verification post-patching.
## Lessons Learned
- Exploitation chains utilizing multiple zero-days (ToolShell refers to two CVEs) can rapidly escalate risk across global infrastructure.
- Immediate patching for publicly disclosed critical vulnerabilities, especially those actively exploited by APTs, is paramount.
## Recommendations
- Organizations must immediately review their on-premises Microsoft SharePoint configurations.
- Apply necessary patches/mitigations released by Microsoft for CVE-2025-53770 and CVE-2025-53771 without delay.
- Enhance monitoring on SharePoint servers for unusual activity indicative of remote code execution or post-exploitation actions.