by AKANI CHAUKE
JOHANNESBURG – CYBERSECURITY firm Kaspersky has revealed the recent wave of ToolShell vulnerabilities targeting Microsoft SharePoint stems from an incomplete patch issued five years ago.
According to Kaspersky’s Global Research and Analysis Team (GReAT), the vulnerabilities now tracked as CVE-2025-53770 and CVE-2025-53771 are rooted in a flaw originally addressed under CVE-2020-1147.
Kaspersky Principal Security Researcher, Boris Larin, said the attackers exploited this gap extensively in 2025, a development he stated affected organizations across government, finance, manufacturing, forestry, and agriculture sectors worldwide.
Using data from the Kaspersky Security Network, the company confirmed exploitation attempts in countries including Egypt, Jordan, Russia, Vietnam, and Zambia.
Fortunately, Kaspersky’s systems proactively detected and blocked the attacks before the vulnerabilities were publicly disclosed.
GReAT researchers found striking similarities between the new ToolShell exploit and the 2020 vulnerability, concluding that the recent patch issued on July 8 finally closes the loophole.
However, earlier fixes — CVE-2025-49704 and CVE-2025-49706 — were easily bypassed by adding a simple forward slash to the payload.
“Many high-profile vulnerabilities remain actively exploited years after discovery,” said Larin.
“We expect ToolShell to follow the same pattern due to its simplicity and effectiveness.”
Larin warns that a public exploit for ToolShell will likely appear soon in widely used penetration testing tools, potentially extending its lifespan in the threat landscape for years.
Kaspersky urges all organizations using Microsoft SharePoint to immediately apply the latest patches. The company also recommends deploying advanced cybersecurity solutions like Kaspersky Next, which features Behavior Detection technology capable of identifying and blocking zero-day exploits.
– CAJ News
