About Remote Code Execution – Microsoft SharePoint “ToolShell” (CVE-2025-49704) vulnerability. This vulnerability is from the Microsoft’s July Patch Tuesday. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. Deserialization of untrusted data in the DataSetSurrogateSelector class leads to remote code execution in the context of the SharePoint web server process. Exploitation requires authentication, obtainable for example via CVE-2025-49706 (“ToolShell” chain).
🔬 The “ToolShell” chain was demonstrated by the Viettel Cyber Security team at Pwn2Own Berlin, May 15–17, 2025 (prize $100,000).
👾 Signs of exploitation in the wild have been observed since July 7. The vulnerability was added to CISA KEV on July 22.
🛠 Public exploits available on GitHub since July 21.
➡️ Later “ToolShell” vulnerabilities: CVE-2025-53770 and CVE-2025-53771.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.