Kaspersky's Global Research and Analysis (GReAT) team has discovered that the newly exploited vulnerabilities in Microsoft's SharePoint ToolShell are due to an incomplete fix for the CVE-2020-1147 vulnerability, which was discovered in 2020.

This discovery highlights the ongoing nature of cyber threats and the challenges organizations face in securing their systems.

SharePoint vulnerabilities have
emerged as a major cybersecurity threat this year, with attackers actively exploiting them, and Kaspersky Security Network (KSN) has monitored exploits around the world, including Egypt, Jordan, Russia, Vietnam and Zambia.

These attacks target enterprises in vital sectors such as government, finance, and manufacturing, as well as the forestry and agriculture sectors. Kaspersky security solutions proactively detect and prevent ToolShell attacks before vulnerabilities are publicly exposed, confirming the effectiveness of protecting them.

Similarities to previous vulnerabilities:

Kaspersky researchers analyzed the published exploit code for the ToolShell and found a striking similarity to the exploitation of the vulnerability (CVE-2020-1147), which appeared in 2020. This similarity suggests that the latest security update (CVE-2025-53770) represents an effective solution to the vulnerability that was supposed to be addressed five years ago, showing that the initial fix was incomplete.

A link between the vulnerabilities was discovered after the discovery of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were fixed on July 8. However, these fixes could be easily bypassed by adding a single slash (/) to the payload used in the attack.