Kaspersky’s Global Research and Analysis Team (GReAT) has revealed that recent ToolShell attacks exploiting Microsoft SharePoint vulnerabilities stem from an incomplete fix for CVE-2020-1147, a flaw first identified five years ago. The recycled vulnerability has led to a surge in cyberattacks globally, with attempted breaches detected in countries such as Egypt, Russia, Vietnam, and Zambia. Targeted sectors include government, finance, and agriculture.
Vulnerability patch found incomplete
According to Kaspersky, the current exploit chain takes advantage of CVE-2025-53770, which ultimately addresses the same underlying issue that the 2020 patch attempted to fix. The cybersecurity firm discovered alarming similarities between the original CVE-2020-1147 exploit and the latest ToolShell attack vector. The revelation suggests that attackers have been able to bypass older mitigations simply by adding a forward slash to payloads, indicating a fundamental oversight in the initial fix.
Also read: Fermilab Targeted in Global SharePoint Cyberattack
Ongoing risks despite new patches
Microsoft responded with comprehensive updates on July 8, 2025, after active exploitation was confirmed. These new patches—designated CVE-2025-53770 and CVE-2025-53771—close the loophole that allowed attackers to sidestep prior protections. However, the timing between the discovery and release of these updates left a window during which multiple SharePoint servers were compromised.
Despite the patches now being available, Kaspersky warns that this vulnerability chain is likely to persist in attack kits for years, much like older flaws such as ProxyLogon and EternalBlue. The ease of exploitation and the wide adoption of SharePoint globally make this an enduring threat.
Long-term implications for enterprise security
Security researchers expect ToolShell exploits to be embedded in penetration testing frameworks and widely used by malicious actors going forward. The incident underlines the need for organisations to continuously monitor patch effectiveness and conduct regular vulnerability assessments, especially for widely deployed collaboration platforms like SharePoint.
