Intrusion PreventionMS.SharePoint.ToolShell.Remote.Code.Execution
Description
This indicates an attempted attack exploiting a vulnerability chain in Microsoft SharePoint, commonly referred to as ToolShell.
ToolShell is a sophisticated exploit chain targeting Microsoft SharePoint Server. It leverages CVE-2025-49706 and CVE-2025-49704, while also bypassing protections associated with CVE-2025-53770 and CVE-2025-53771.
Outbreak Alert
FortiGuard Labs has detected and successfully blocked hundreds of exploitation attempts targeting a newly discovered zero-day vulnerability chain in on-premises Microsoft SharePoint servers. This active campaign is being exploited by multiple threat actors and poses a significant risk to a wide range of sectors including government, education, healthcare, and large enterprises.
Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2025-08-06 | 33.059 |
Modified
|
Sig Added |
| 2025-07-28 | 33.053 |
Modified
|
Sig Added |
| 2025-07-23 | 33.051 |
Modified
|
Name:MS. SharePoint. Insecure. Deserialization. Remote. Code. Execution:MS. SharePoint. ToolShell. Remote. Code. Execution |
| 2025-07-22 | 33.050 |
Modified
|
Sig Added |
| 2025-07-21 | 33.049 |
Modified
|
Name:MS. SharePoint. CVE-2025-49704. Remote. Code. Execution:MS. SharePoint. Insecure. Deserialization. Remote. Code. Execution |
| 2025-07-21 | 33.048 |
Modified
|
Default_action:pass:drop |
| 2025-07-08 | 33.041 |
New
|
| ID | 58317 |
| Created | Jul 08, 2025 |
| Updated | Aug 06, 2025 |
| CVE ID | |
| Tags | Microsoft SharePoint Zero-day Threat Signal |
| Risk |
|
| Known Exploited | Yes |
| Exploit Prediction Score | 90.49% |
| Default Action | drop |
| Active | |
| Affected OS | Windows |
| Affected App | Other |
| Profile Type | Code Injection |