Sophos MDR Security Alert
Announcement Date: July 18, 2025
On July 18, 2025, Sophos’ Managed Detection and Response (MDR) team detected a significant wave of malicious activities targeting on-premises Microsoft SharePoint environments. These activities involved the deployment of harmful PowerShell commands across numerous systems, indicating a coordinated exploit effort leveraging a newly identified toolset referred to as ‘Tool Shell.’
Initial Findings
Initial investigations traced the earliest known activity back to July 17, 2025.
Tool Shell comprises a chained exploitation of two critical SharePoint vulnerabilities—
CVE-2025-49704 and CVE-2025-49706—first demonstrated during the
Pwn2Own cybersecurity event in Berlin in May 2025. Microsoft addressed both vulnerabilities
in their July Patch Tuesday updates.
Zero-Day Exploits
What makes this situation particularly urgent is the emergence of two new vulnerabilities,
CVE-2025-53770 and CVE-2025-53771, which are currently being exploited in the wild
as part of an active zero-day attack campaign.
This means threat actors are not only taking advantage of previously known flaws but are also exploiting fresh weaknesses for which protections may not yet be fully deployed across affected infrastructures.
Impact & Recommendations
Sophos MDR has reached out to all identified victims of these attacks. Given the active nature of the exploit and the confirmed use of a zero-day, organizations using on-premises SharePoint servers are strongly advised to apply Microsoft’s latest security patches without delay.
Notably, SharePoint Online services hosted on Microsoft 365 are not affected by this campaign.
Action Required
Velvot Nigeria Limited urges all clients and IT administrators to assess their SharePoint infrastructure immediately and implement all necessary updates and monitoring practices to reduce exposure.
Staying ahead of evolving threats requires a proactive approach—don’t wait for a breach to act.
Contact Information
For professional cybersecurity assessment and infrastructure support, contact us: GTM@velvot.com
Velvot Nigeria LimitedLagos State, Nigeria
Website: www.velvot.com
