Cato CTRL™ Threat Brief: “ToolShell” Exploit Targeting Microsoft SharePoint Vulnerabilities 

Executive Summary 

On July 22, 2025, Microsoft published an overview of a series of critical vulnerabilities affecting Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771). These vulnerabilities opened a dangerous window for threat actors to gain access to internal resources, execute code remotely, and take over SharePoint deployments. According to Microsoft, it has “observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.” 

With the SharePoint vulnerabilities, Cato delivers the following protections to customers:  

• Targeted SharePoint signatures from Cato IPS have been deployed across the Cato SASE Cloud Platform.  

• Any exploitation attempts trigger an event and generate an XDR story in Cato XDR. 

While IT teams race to implement updates and minimize potential impact, Cato customers benefit from near-immediate threat coverage from the SharePoint vulnerabilities. 

Technical Overview 

The SharePoint vulnerabilities being actively exploited trace back to a multi-stage exploit chain targeting on-premises deployments. 

Timeline:  

• May 16, 2025: At Pwn2Own Berlin 2025, Viettel Cyber Security demonstrated a chained attack combining CVE-2025-49704 (remote code execution vulnerability) and CVE-2025-49706 (network spoofing vulnerability). Together, these flaws enabled RCE and laid the foundation for what would become a widely exploited technique. 

• July 9, 2025: Microsoft released initial patches for both CVEs as part of their Patch Tuesday rollout, aiming to block the original exploit chain. 

• July 14, 2025: Cybersecurity firm CODE WHITE reproduced the exploit, which they referred to as “ToolShell,” validating that the chain could still be leveraged. ToolShell refers to SharePoint’s /ToolPane.aspx (CVE-2025-49704).  

• July 18, 2025: The first confirmed in-the-wild attacks were identified by Eye Security. Threat actors had developed bypass variants that sidestepped the July 9 patches and began exploiting vulnerable SharePoint servers.   

• July 19, 2025: A second wave of attacks occurred, according to Eye Security.  

• July 19, 2025: Microsoft issued an advisory summarizing two additional CVEs for the modified exploit path: CVE-2025-53770 (patch bypass for CVE-2025-49704) and CVE-2025-53771 (patch bypass for CVE-2025-49706).  

• July 21, 2025: Microsoft released emergency security updates for SharePoint Server Subscription Edition and SharePoint Server 2019 to fully mitigate the updated attack chain. 

The Threat Landscape: ToolShell in Action 

ToolShell is a chained exploit targeting Microsoft SharePoint Server, first disclosed in May 2025. It enables unauthenticated RCE by combining multiple server-side flaws, without requiring credentials or user interaction. The attack begins by bypassing authentication through CVE-2025-53771, where manipulated HTTP headers make malicious requests appear legitimate. This allows threat actors to exploit CVE-2025-53770 and deploy a web shell for persistent access. Once established, the web shell is used to extract cryptographic keys from the server. With these keys, threat actors can create signed payloads that SharePoint accepts as trusted, enabling continued and stealthy code execution even after the original vulnerabilities are patched. The result is a highly effective and difficult-to-detect attack chain. 

Conclusion 

This rapid evolution from proof-of-concept (PoC) to active exploitation for the Microsoft SharePoint vulnerabilities underscores how quickly threat actors can pivot and adapt, even after patches are issued. 

The frequency of high-severity CVEs continues to rise. With active attacks already in progress, relying solely on a reactive security approach is no longer sufficient.  

Protections 

The Cato SASE Cloud Platform offers a significant advantage in defending against rapidly evolving threats. Unlike traditional perimeter-based security, which depends on patching and policy updates at each site or server, Cato delivers global protection through a single-pass cloud engine (SPACE). SPACE is the core security engine of Cato. Whether you operate from a single location or manage multiple on-premises SharePoint servers across regions, the Cato SASE Cloud Platform ensures your entire organization is protected immediately without the need to modify local infrastructure. 

With the SharePoint vulnerabilities, Cato delivers the following protections to customers:  

• Targeted SharePoint signatures from Cato IPS have been deployed across the Cato SASE Cloud Platform.  

• Any exploitation attempts trigger an event and generate an XDR story in Cato XDR.  

This proactive approach ensures consistent protection across all customer environments, reducing the risk posed by unpatched systems or exposure from remote and unmanaged sites. Cato automatically blocks exploitation attempts by inspecting and enforcing policies across all traffic in real time. 

We are actively monitoring developments related to the SharePoint vulnerabilities and any emerging threats. Our customers can trust that they are protected today and prepared for the vulnerabilities of tomorrow.