Web Application Security090502410 - MS.SharePoint.Insecure.Deserialization.Remote.Code.Execution
Description
This indicates an attempted attack exploiting a vulnerability chain in Microsoft SharePoint, commonly referred to as ToolShell.
ToolShell is a sophisticated exploit chain targeting Microsoft SharePoint Server. It leverages CVE-2025-49706 and CVE-2025-49704, while also bypassing protections associated with CVE-2025-53770 and CVE-2025-53771.
Outbreak Alert
FortiGuard Labs has detected and successfully blocked hundreds of exploitation attempts targeting a newly discovered zero-day vulnerability chain in on-premises Microsoft SharePoint servers. This active campaign is being exploited by multiple threat actors and poses a significant risk to a wide range of sectors including government, education, healthcare, and large enterprises.
Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2025-07-23 | 0.00407 |
New
|
| ID | 1090502410 |
| Created | Jul 23, 2025 |
| Updated | Jul 23, 2025 |
| CVE ID | |
| Tags | Microsoft SharePoint Zero-day Threat Signal |
| Risk |
|
| Default Action | pass |
| Active | |
| Affected OS | Windows |
| Affected App | Other |
| Engine Version | 5.0.0 or later |