What to know about ToolShell, the SharePoint threat under mass exploitation

Microsoft fixed the vulnerability pair—CVE-2025-49706 and CVE-2025-49704—two weeks ago as part of the company’s monthly update release. As the world learned over the weekend, the patches were incomplete, a lapse that opened organizations around the world to the new attacks.

Q: What sorts of malicious things are attackers doing with these newer ToolShell exploits?

A: According to numerous technical analyses, the attackers first infect vulnerable systems with a webshell-based backdoor that gains access to some of the most sensitive parts of a SharePoint Server. From there, the webshell extracts tokens and other credentials that allow the attackers to gain administrative privileges, even when systems are protected by multifactor authentication and single sign-on. Once inside, the attackers exfiltrate sensitive data and deploy additional backdoors that provide persistent access for future use.

For those who want more technical details, the opening volley in the attack is POST Web requests the attackers send to the ToolPane endpoint. The requests look like this:

Akamai

What to know about ToolShell, the SharePoint threat under mass exploitation

Other newsrooms on this story

Related reading

SharePoint vulnerability with 9.8 severity rating under exploit across globe

Hundreds of organizations breached by SharePoint mass-hacks | TechCrunch

New zero-day bug in Microsoft SharePoint under widespread attack | TechCrunch

Risk highlighted as Chinese hackers hit Microsoft

Microsoft patch fell short. New Windows flaw exploited

Windows shell spoofing vulnerability puts sensitive data at risk