A critical zero-day RCE chain dubbed ToolShell, tracked as CVE-2025-53770 (and accompanying spoof bypass CVE-2025-53771), has been actively exploited against on-premises Microsoft SharePoint servers since mid-July 2025. Organizations running SharePoint Server 2016, 2019, or Subscription Edition must apply Microsoft’s emergency security updates immediately and perform key rotation and forensic assessments to prevent persistent compromise.