Threat Research

A surge in active exploitation is targeting newly revealed vulnerabilities in Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771)....

Detects the exploitation of SharePoint servers through ToolShell CVE-2025-53770. The previous related CVEs are CVE-2025-49706 and CVE-2025-49704. CVE-2025-53770 introduces a new and stealthy webshell, known as SharpyShell, which extracts and leaks cryptographic secrets from the SharePoint server via a basic GET request....

Tracks ToolShell exploitation activity targeting SharePoint servers, including updated IOCs linked to CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Observed threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603....

"Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks" details the connection between a threat activity cluster tracked as CL-CRI-1040 and recent exploitation of SharePoint vulnerabilities. This cluster deploys a toolset named Project AK47, which includes a backdoor, ransomware, and loaders....

We are currently monitoring several threat actors actively targeting on-premises Microsoft SharePoint servers. These attacks utilize a newly uncovered exploit chain referred to as "ToolShell."...

Detects the creation of files like spinstall0.aspx, which may suggest successful exploitation of CVE-2025-53770—a zero-day remote code execution vulnerability in SharePoint....

CVE-2025-53770 and CVE-2025-53771 impact on-premise Microsoft SharePoint Servers, enabling malicious file uploads and cryptographic key theft. These evolved from earlier flaws (CVE-2025-49704/49706), where incomplete patches left systems vulnerable to unauthenticated RCE via deserialization and ViewState abuse....

Detects potential exploitation of CVE-2025-53770 by monitoring for indicators like suspicious command-line activity observed during post-exploitation stages. CVE-2025-53770 is a zero-day vulnerability in SharePoint that enables remote code execution....

"Havoc: SharePoint With Microsoft Graph API Turns Into FUD C2" refers to the use of the Havoc command-and-control (C2) framework, which is open-source and available on GitHub, by threat actors to gain full control over a target....