About Remote Code Execution – Microsoft SharePoint “ToolShell” (CVE-2025-49704) vulnerability_AVLEONOV:22CEEC8D500265AF898E23D054125ECF...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

![About Remote Code Execution - Microsoft SharePoint ToolShell $CVE-2025-49704$ vulnerability](https://avleonov.com/wp-content/uploads/2025/11/photo_877@13-11-2025_16-56-56.jpg)

**About Remote Code Execution - Microsoft SharePoint "ToolShell" (CVE-2025-49704) vulnerability.** This vulnerability is from the Microsoft's July Patch Tuesday. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. Deserialization of untrusted data in the DataSetSurrogateSelector class leads to remote code execution in the context of the SharePoint web server process. Exploitation requires authentication, obtainable for example via CVE-2025-49706 ("ToolShell" chain).

![🔬](https://s.w.org/images/core/emoji/16.0.1/72x72/1f52c.png) The "ToolShell" chain was demonstrated by the Viettel Cyber Security team at Pwn2Own Berlin, May 15–17, 2025 (prize $100,000).

![👾](https://s.w.org/images/core/emoji/16.0.1/72x72/1f47e.png) Signs of exploitation in the wild have been observed since July 7. The vulnerability was added to CISA KEV on July 22.

![🛠](https://s.w.org/images/core/emoji/16.0.1/72x72/1f6e0.png) Public exploits available on GitHub since July 21.

![➡](https://s.w.org/images/core/emoji/16.0.1/72x72/27a1.png) Later "ToolShell" vulnerabilities: CVE-2025-53770 and CVE-2025-53771.

На русском

Visit Original Source

Basic Information

ID AVLEONOV:22CEEC8D500265AF898E23D054125ECF

Published Nov 13, 2025 at 13:56

{
    "lastseen": "2025-11-15T02:05:07",
    "description": "![About Remote Code Execution - Microsoft SharePoint ToolShell \\(CVE-2025-49704\\) vulnerability](https://avleonov.com/wp-content/uploads/2025/11/photo_877@13-11-2025_16-56-56.jpg)\n\n**About Remote Code Execution - Microsoft SharePoint \"ToolShell\" (CVE-2025-49704) vulnerability.** This vulnerability is from the Microsoft's July Patch Tuesday. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work. Deserialization of untrusted data in the DataSetSurrogateSelector class leads to remote code execution in the context of the SharePoint web server process. Exploitation requires authentication, obtainable for example via CVE-2025-49706 (\"ToolShell\" chain).\n\n![\ud83d\udd2c](https://s.w.org/images/core/emoji/16.0.1/72x72/1f52c.png) The \"ToolShell\" chain was demonstrated by the Viettel Cyber Security team at Pwn2Own Berlin, May 15\u201317, 2025 (prize $100,000).\n\n![\ud83d\udc7e](https://s.w.org/images/core/emoji/16.0.1/72x72/1f47e.png) Signs of exploitation in the wild have been observed since July 7. The vulnerability was added to CISA KEV on July 22.\n\n![\ud83d\udee0](https://s.w.org/images/core/emoji/16.0.1/72x72/1f6e0.png) Public exploits available on GitHub since July 21.\n\n![\u27a1](https://s.w.org/images/core/emoji/16.0.1/72x72/27a1.png) Later \"ToolShell\" vulnerabilities: CVE-2025-53770 and CVE-2025-53771.\n\n\u041d\u0430 \u0440\u0443\u0441\u0441\u043a\u043e\u043c",
    "published": "2025-11-13T13:56:56",
    "modified": "2025-11-13T13:56:56",
    "type": "avleonov",
    "title": "About Remote Code Execution \u2013 Microsoft SharePoint \u201cToolShell\u201d (CVE-2025-49704) vulnerability",
    "source": "",
    "references": "",
    "id": "AVLEONOV:22CEEC8D500265AF898E23D054125ECF",
    "bulletinFamily": "blog",
    "cwe": null,
    "cvelist": [
        "CVE-2025-49704",
        "CVE-2025-49706",
        "CVE-2025-53770",
        "CVE-2025-53771"
    ],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://avleonov.com/2025/11/13/1605-about-remote-code-execution-microsoft-sharepoint/",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply