Threat Hunter TeamSymantec and Carbon Black
Posted: 2 Min ReadThreat Intelligence

ToolShell: Critical SharePoint Zero-Day Exploited in the Wild

Symantec products already block CVE-2025-53770 exploit attempts.

Update 2025-07-21, 10:40 UTC: Blog has been updated with additional indicators of compromise (IOCs)

Microsoft has partially patched a zero-day vulnerability in SharePoint following reports of its exploitation in the wild. The vulnerability (CVE-2025-53770), dubbed ToolShell, affects on-premises SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems. While the 2019 version of SharePoint Server and SharePoint Server Subscription Edition have been patched, the 2016 version remains unpatched.

In its guidance on the vulnerability, Microsoft said it was “aware of active attacks targeting on-premises SharePoint Server customers”. It provided no further information on which actors were behind these attacks. 

The new zero-day vulnerability is a variant of a recently patched vulnerability, CVE-2025-49704, which was patched in July 2025. 

Protection

Symantec products already block exploitation of this vulnerability with the following network protection: Web Attack: Microsoft SharePoint CVE-2025-49704. 

Related vulnerabilities

A second, related vulnerability (CVE-2025-53771) has also been patched. A path traversal bug, it allows an authorized attacker to perform spoofing over a network. It too is a variant of a recently patched vulnerability (CVE-2025-49706) and the patch includes more robust protections against exploitation of the older flaw.

Mitigation and guidance

In addition to immediately updating to the latest version of SharePoint, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising users to monitor for POSTs to:

/_layouts/15/ToolPane.aspx?DisplayMode=Edit

Users are also advised to conduct scanning for the following IP addresses: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.

 

Protection/Mitigation

Network protection

Web Attack: Microsoft SharePoint CVE-2025-49704

For the latest protection updates, please visit the Symantec Protection Bulletin.

 

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

Note: IP addresses are a mixture of IPs scanning for and activity exploiting CVE-2025-53770

107.191.58[.]76

104.238.159[.]149

96.9.125[.]147

103.186.30[.]186

108.162.221[.]103

128.49.100[.]57

154.47.29[.]4

162.158.14[.]149

162.158.14[.]86

162.158.19[.]169

162.158.90[.]110

162.158.94[.]121

162.158.94[.]72

18.143.202[.]126

18.143.202[.]156

18.143.202[.]185

18.143.202[.]204

45.40.52[.]75

About the Author

Threat Hunter Team

Symantec and Carbon Black

The Threat Hunter Team is a group of security experts within Broadcom whose mission is to investigate targeted attacks, drive enhanced protection in Symantec and Carbon Black products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.