Toolshell

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on-premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public-facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post-exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi-actor abuse of new SharePoint bugs (CVE-2025-53770, CVE-2025-53771) related to earlier July CVEs (CVE-2025-49704, CVE-2025-49706), and stresses that only on-prem servers are affected-not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE-2025-53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public-facing applications, driven largely by the ToolShell attack chain against on-premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post-compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.