*Updated July 24, 2025 with latest findings from Check Point Research*
Key findings:
- A critical zero-day vulnerability (CVE-2025-53770 ) in SharePoint on-prem is actively being exploited in the wild.
- Dubbed “ToolShell,” the campaign enables unauthorized access to on-prem SharePoint servers, posing a serious risk to corporate environments
- Check Point Research identified the first signs of the exploitation on July 7th.
- On July 21, Check Point Research confirmed dozens of compromised servers across government, telecommunications, and software sectors in North America and Western Europe.
- Update: On July 24, Check Point Research found wide exploitation of the CVE, with more than 4600 compromise attempts on over 300 organizations, worldwide
- Alarmingly, we see that the attackers also leverage known Ivanti EPMM vulnerabilities throughout the campaign.
A critical zero-day SharePoint remote code execution (RCE) vulnerability, tracked as CVE-2025-53770 and nicknamed “ToolShell,” is currently under active exploitation. This vulnerability affects on-premise Microsoft SharePoint servers, allowing unauthenticated attackers to gain full access and execute arbitrary code remotely. Despite public guidance from Microsoft and an alert from CISA, a full security patch is not yet available.
Concerned about your SharePoint security or want to learn more about how Check Point can protect your organization?
Talk to an expert
What did Check Point Research find?
Check Point Research found that the first exploitation attempts were observed on July 7th. The target of the attack is a major Western government. The attacks only intensified on July 18th and 19th, using infrastructure tied to the following IP addresses:
- 104.238.159.149
- 107.191.58.76
- 96.9.125.147
One of these IPs was also associated with exploitation attempts against a related Ivanti EPMM vulnerability chain (CVE-2025-4427 and CVE-2025-4428). These vulnerabilities have had a patch available since May 13, and encourage any customers who haven’t patched to do so.
The attack vector involves a custom webshell that parses parameters from VIEWSTATE payloads, enabling insecure deserialization attacks. Initial targeted sectors included:
- Government
- Software
- Telecommunications
Source: Check Point Research
July 24, 2025 update: Targeted sectors have spread beyond the initial ones, to now include
- Financial Services
- Business Services
- Consumer Goods
Source: Check Point Research
The primary geographies impacted are North America and Western Europe, especially organizations running on-prem SharePoint environments.
Source: Check Point Research
July 24, 2025 update: targeted countries have grown
Source: Check Point Research
What does it mean for defenders and corporations?
This exploitation campaign reinforces the critical need to monitor and defend legacy and on-premise infrastructure. Threat actors are rapidly leveraging unpatched SharePoint vulnerabilities and chaining exploits like CVE-2025-53770 with older flaws such as CVE-2025-49706 to gain initial access and escalate privileges.
This is yet another case of zero day SharePoint exploitation being used in targeted attacks against sectors that manage sensitive data and critical systems.
Recommendations for Defenders
To reduce risk from CVE-2025-53770 and related threats:
- Ensure that your Anti-Malware Scan Interface is enabled.
- Rotate SharePoint Server ASP.NET machine keys.
- Deploy Harmony Endpoint to block post-exploit activities on the server.
- If applicable, limit access to the SharePoint Server from the Internet using Private Access tools.
- Update Quantum Gateway IPS Package 635254838 and ensure that the protection is set to Prevent and inspect the traffic of your SharePoint servers.
- Review these resources at CheckMates: Inside the SharePoint Zero-Day (CVE-2025-53770): What It Means and How to Stay Protected
Concerned about your SharePoint security or want to learn more about how Check Point can protect your organization?
Talk to an expert