Kaspersky’s Global Research and Analysis Team (GReAT) has traced recent ToolShell vulnerabilities in Microsoft SharePoint to an incomplete fix from 2020.
The cybersecurity company said the exploited vulnerabilities stem from CVE-2020-1147, a flaw first reported five years ago. The issue resurfaced this year as a serious threat, with active exploitation detected globally.
According to Kaspersky Security Network, attackers targeted organizations in countries including Egypt, Jordan, Russia, Vietnam, and Zambia. Affected sectors range from government and finance to manufacturing, forestry, and agriculture. Kaspersky said its tools detected and blocked ToolShell attacks even before the vulnerabilities were publicly known.
Researchers from Kaspersky GReAT found strong similarities between the ToolShell exploit and the CVE-2020-1147 exploit. This suggests that CVE-2025-53770, a patch released this year, effectively addresses the same flaw that was not fully resolved in 2020.
“Many high-profile vulnerabilities remain actively exploited years after discovery — ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today,” said Boris Larin, principal security researcher at Kaspersky GReAT. “We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit will soon appear in popular penetration testing tools, ensuring prolonged use by attackers.”
The link to the older flaw became clearer after the discovery of two vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which Microsoft patched on July 8. However, Kaspersky found that attackers could bypass these fixes by simply adding a forward slash in the exploit payload.
Once Microsoft became aware of the ongoing attacks, it issued comprehensive patches and reclassified the vulnerabilities as CVE-2025-53770 and CVE-2025-53771. A spike in attacks on SharePoint servers occurred in the gap between the first patches and the full fix.
Although updated patches are now available, Kaspersky warned that attackers are likely to continue exploiting the vulnerability chain for years.