Understand The Sharepoint RCE: Exploitations, Detections, And Mitigations
Akamai Technologies, Tuesday, July 22nd, 2025
On July 19, 2025, Microsoft disclosed CVE-2025-53770, a critical vulnerability in the ToolPane.aspx component of on-premises Microsoft SharePoint Servers. This vulnerability can allow an unauthenticated attacker to achieve unauthenticated remote code execution (RCE) through improper filtering of HTTP request headers.
On July 19, 2025, an RCE vulnerability - dubbed ToolShell after the component in which the flaw lies - in on-prem instances of Microsoft SharePoint Server was made known (CVE-2025-53770, CVSS 9.8). The root cause is a combination of two bugs: an authentication bypass (CVE-2025-49706) and an insecure deserialization vulnerability (CVE-2025-49704). There have already been reports of ToolShell being exploited in the wild.
The vulnerability in the widely used collaboration platform was swiftly addressed by Microsoft and is fixed in the server versions 2016, 2019, and SharePoint Server Subscription Edition.