What to know about ToolShell, the SharePoint threat under mass exploitation

In the past four days, both government agencies and private sector organizations have found themselves in a precarious situation due to a severe vulnerability in SharePoint, Microsoft’s popular document-sharing platform. The revelation of this critical flaw has led to significant attacks that are challenging to monitor as they unfold. So, what exactly is SharePoint? This server software, in use since 2001, serves as a vital tool for companies to store, manage, and share internal documents, primarily within their intranets. According to Microsoft, the platform boasts around 200 million users as of 2020, and by last year, over 400,000 organizations had adopted it, with approximately 80% classified as Fortune 500 companies. The vulnerability itself, officially designated as CVE-2025-53770, allows for unauthenticated remote code execution on SharePoint servers. This flaw is particularly alarming, rated at a severity of 9.8 out of 10, due to its potential for significant damage. It permits attackers, who have no system rights, to execute malicious code remotely. The first signs of exploitation were identified by Eye Security, which reported that the flaw had been actively targeted in two distinct waves, starting just a day before its discovery. The firm later updated its estimates, indicating that around 400 systems globally had been compromised, including networks associated with the US National Nuclear Security Administration.