About Remote Code Execution - Microsoft SharePoint "ToolShell" (CVE-2025-49704) vulnerability. This vulnerability is from the Microsoft's July Patch Tuesday. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. Deserialization of untrusted data in the DataSetSurrogateSelector class leads to remote code execution in the context of the SharePoint web server process. Exploitation requires authentication, obtainable for example via CVE-2025-49706 ("ToolShell" chain).
🔬 The "ToolShell" chain was demonstrated by the Viettel Cyber Security team at Pwn2Own Berlin, May 15–17, 2025 (prize $100,000).
👾 Signs of exploitation in the wild have been observed since July 7. The vulnerability was added to CISA KEV on July 22.
🛠 Public exploits available on GitHub since July 21.
➡️ Later "ToolShell" vulnerabilities: CVE-2025-53770 and CVE-2025-53771.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю подписаться на мой канал @avleonovrus "Управление Уязвимостями и прочее" в MAX или в Telegram.
Pingback: About Remote Code Execution – Microsoft SharePoint Server “ToolShell” (CVE-2025-53770) vulnerability | Alexander V. Leonov