RAPID7 LABS THREAT REPORT

CVE-2025-53770: ToolShell exploitation

The September 2025 threat report provides an in-depth look at the active exploitation of Microsoft SharePoint Server vulnerability CVE-2025-53770. This critical cluster of flaws is known as ToolShell and imparts threat actors with remote code execution (RCE) capabilities, which they’re leveraging against organizations still running on-prem SharePoint.

In addition to the severe business risks tied to this exploitation, download the report now to dive deeper on findings that include:

Over 400 confirmed compromises / more than 8,000 servers exposed
Exploitation chain included authentication bypass, unsafe deserialization, and persistent webshell access
A persistent backdoor was installed, enabling ongoing command execution and remote-server interaction
Strong links to China-nexus activity were discovered – consistent with prior cyber espionage campaigns

In addition to the severe business risks tied to this exploitation, download the report now to dive deeper on findings that include:

Over 400 confirmed compromises / more than 8,000 servers exposed
Exploitation chain included authentication bypass, unsafe deserialization, and persistent webshell access
A persistent backdoor was installed, enabling ongoing command execution and remote-server interaction
Strong links to China-nexus activity were discovered – consistent with prior cyber espionage campaigns

Customers