Sharepoint 'Toolshell' Vulnerabilities Being Exploited In The Wild
Sophos, Monday, July 21st, 2025
Sophos X-Ops sees exploitation across multiple customer estates
On July 18, 2025, Sophos MDR (Managed Detection and Response) analysts observed an influx of malicious activity targeting on-premises SharePoint instances, including malicious PowerShell commands executed across multiple estates. Additional analysis determined these events are likely the result of active, malicious deployment of an exploit leveraging 'ToolShell.'
We will update this page as events and understanding develop, including our threat and detection guidance.