What is the ToolShell exploit?
A newly discovered exploit, “ToolShell,” is fueling a wave of targeted attacks against on-premises Microsoft SharePoint servers.
The zero-day exploit chains two vulnerabilities—CVE-2025-53770, a remote code execution (RCE) vulnerability and CVE-2025-53771, a spoofing vulnerability that allows attackers to bypass authentication. When combined, this critical zero-day vulnerability gives attackers persistent unauthenticated remote access to on-premises SharePoint servers. According to Microsoft, this exploit does not impact SharePoint Online in Microsoft 365.
Microsoft holds two-thirds of the global market share in the business productivity space, and the impact of this breach is quickly spreading across industries and government agencies. Organizations frequently assume their SharePoint data is safe because it resides within the corporate network perimeter. This often leads to weaker identity practices, making SharePoint a softer target for attackers to gain internal access. Compounding the risk, SharePoint is deeply integrated with other Microsoft products like Teams, OneDrive, and Outlook—so once compromised, it can serve as a launch point for lateral movement across the broader environment.
How the ToolShell exploit was discovered
The research team at Eye Security first discovered this active exploit on July 18. The newly detected vulnerabilities were variants of two vulnerabilities that Microsoft had patched earlier in the month. Attackers count on the delay for applying patches to zero-day vulnerabilities, giving them a window of opportunity to continue their exploits even after the vulnerabilities are publicly disclosed.
In a blog post, Eye Security warned, “This is not a theoretical risk. Attackers are already leveraging this vulnerability to deploy backdoors and steal sensitive data from SharePoint servers. The potential consequences extend beyond SharePoint, as these servers often connect to core business system such as email and file storage.”
This discovery marked the beginning of a rapidly evolving threat campaign that requires immediate attention from Microsoft and its customers.
Within two days after Eye Security reported their discovery, Microsoft published customer guidance and released security updates to block exposure from these attacks. Microsoft recommended applying the latest security updates to all supported versions of SharePoint Server to prevent new threat actors from exploiting this vulnerability. It also advised several additional remediation steps, including manually rotating ASP.NET keys, to remediate risk in already compromised environments.
Remediation steps: Contain, recover and strengthen
The aftermath of a breach requires close collaboration between Microsoft, impacted customers, and partners like CyberArk that can seamlessly integrate with Microsoft environments to deliver additional security services on top of Microsoft applications.
If this attack potentially affected your environment, first and foremost, run the latest Microsoft security updates.
To effectively respond, organizations should take a phased approach to address immediate threats, restore control, and build long-term resilience:
- Contain the damage: The first priority is gaining visibility into the full spectrum of identities interacting with the environment—their permissions, activities, and potential exposure. These steps also involve implementing controls to block lateral motion and prevent attackers from compromising additional enterprise systems.
- Recover control: The next step is to close backdoors and prevent attackers from regaining access. Assume that all the credentials in the exposed environment have been compromised, rotate or update all credentials, and eliminate any standing credentials that may have been left behind.
- Strengthen defenses: Finally, organizations should implement longer-term measures to reduce the risk of future attacks. These include preventive controls and containment strategies designed to limit the impact of similar attacks in the future.
How CyberArk can help mitigate ToolShell
If you are already a CyberArk customer, reach out to your professional services or sales teams and talk to them about how you can utilize CyberArk solutions to help with:
- Discovery, visibility, and context reporting
- Session management and session recording
- Rotating and updating credentials for human and machine identities
- Eliminating standing access
- Blocking unauthorized lateral motion
- Phishing resistant MFA
And once this crisis is behind, reach out to us to talk about the CyberArk Blueprint program and how we can work with your team on a plan for a better security posture.
Marina Kvitnitsky is a senior product manager at CyberArk.
