Inside The Toolshell Campaign
Fortinet, Friday, July 25th, 2025
FortiGuard Labs is currently tracking multiple threat actors targeting on-premises Microsoft SharePoint servers. This attack leverages a newly identified exploit chain dubbed "ToolShell."
Threat actors are combining two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two fresh, zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. Given the escalating threat, CISA has already added these CVEs to its catalog of Known Exploited Vulnerabilities, and FortiGuard Labs has issued a detailed Threat Signal. Except for the known attack using 'spinstall0.aspx', exploitation in the wild is accelerating, and this blog post will delve into real-world incidents from this ongoing wave of attacks.